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Course Introduction 


Overview 


This lesson includes the following topics: 
= Course objectives 

m Course agenda 

m Participant responsibilities 

m General administration 

m Graphic symbols 

m Participant introductions 

m Cisco Security Career Certifications 


m= Lab topology overview 


Course Objectives 


This topic introduces the course and the course objectives. 


Course Objectives 
Re MMMM ~~SS!S*S*«SCO.com 


Upon completion of this course, you will be able to perform 
the following tasks: 


Describe the features, functions, and benefits of Cisco VPN 
products. 


Explain the IPSec and IKE component technologies that are 
implemented in Cisco VPN products. 


Install and configure the Cisco VPN Software Client. 


Configure the Cisco VPN 3000 Series Concentrators for remote 
access using digital certificates. 


Configure the Cisco VPN Client for auto-initiation. 


Configure the Cisco VPN 3000 Series Concentrator firewall 
feature. 


Configure the Cisco VPN 3002 Hardware Client for remote 
access using pre-shared keys. 
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Course Objectives (cont.) 
MMMM ~SS!S*S*«CSCO.cOmM 


¢ Configure the Cisco VPN Client for software auto-update. 


¢ Configure the Cisco VPN 3002 Hardware Client for 
interactive unit and individual user authentication. 

¢ Configure the Cisco VPN Client for a backup server and 
load balancing. 

¢ Configure the Cisco VPN 3000 Series Concentrator for 
IPSec over TCP or IPSec over UDP. 

¢ Configure the Cisco VPN 3000 Series Concentrator for 
LAN-to-LAN with pre-shared keys. 

¢ Configure the Cisco VPN 3000 Series Concentrator for 
LAN-to-LAN with NAT. 


¢ Configure the Cisco VPN 3000 Series Concentrator for 
LAN-to-LAN with digital certificates. 
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Course Agenda 
ae Cisco.com 
Day 1 
Lesson 1—Course Introduction 
Lesson 2—Security Fundamentals 


Lesson 3—Overview of Virtual Private Networks and IPSec 
Technologies 


Lunch 


Lesson 4—Cisco Virtual Private Network 3000 Concentrator 
Series Hardware Overview 


Lesson 5—Configure the Cisco VPN 3000 Series Concentrator 
for Remote Access Using Pre-shared Keys 


Day 2 


¢ Lesson 6—Configure the Cisco VPN 3000 Series Concentrator 
for Remote Access Using Digital Certificates 


e Lesson 7—Configure the Cisco Virtual Private Network Firewall 
Feature for the IPSec Software Client 
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Course Agenda (cont.) 
MMM MMMM ~~SSS*«CSCO.comM 


e« Lunch 


¢ Lesson 8—Configure the Cisco Virtual Private Network Client 
Auto-Initiation Feature 


e Lesson 9—Monitor and Administer the Cisco VPN 3000 Series 
Concentrator Remote Access Networks 

Day 3 
Lesson 10—Configure the Cisco VPN 3002 Hardware Client for 
Remote Access Using Pre-Shared Keys 
Lesson 11—Configure the Cisco VPN 3002 Hardware Client for 
Unit and User Authentication 
Lunch 


Lesson 12—Configure the Cisco Virtual Private Network 3002 
Hardware Client for a Backup Server, and Load Balancing 


Lesson 13—Configure the Cisco Virtual Private Network Client 
for Software Auto-Update 
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Course Agenda (cont.) 
ey | Cisco.com 


Day 4 


Lesson 14—Configuring the Cisco Virtual Private Network 3000 
Series Concentrator for IPSec over UDP and IPSec over TCP 


Lesson 15—Cisco Virtual Private Network 3000 Series 
Concentrator LAN-to-LAN with Pre-Shared Keys 


Lunch 


Lesson 16—Cisco Virtual Private Network 3000 Series 
Concentrator LAN-to-LAN with NAT 


Lesson 17—Configure the Cisco Virtual Private Network 3000 
Series Concentrator LAN-to-LAN Using Digital Certificates 
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Cisco.com 


Student responsibilities 
¢ Complete prerequisites 


¢ Participate in lab exercises 
° Ask questions 
¢ Provide feedback 
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General Administration 
a a, Cisco.com 


Class-related 
¢ Sign-in sheet 


Facilities-related 
¢ Participant materials 


¢ Length and times ¢ Site emergency 


¢ Break and lunch room 


locations 
° Attire 
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procedures 
¢« Restrooms 
° Telephones/faxes 
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Graphic Symbols 


10S Router PIX Firewall 


Network Policy Manager 
Access Server 
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Cisco.com 


f= == 
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VPN 3000 IDS Sensor Catalyst 6500 10S Firewall 
with IDS Module 


BaQDs5 


CA Laptop Server 
Server Web, FTP, etc. 


Ethernet link VPN tunnel Network 
cloud 
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Course Introduction 1-5 


1-6 


Participant Introductions 


¢ Your name 
Your company 
Pre-requisites skills 
Brief history 
Objective 


Cisco.com 
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Cisco Security Career Certifications 


Expand Your Professional Options —— 
and Advance Your Career 


Cisco Certified Security Professional (CCSP) Certification 


Professional-level recognition in designing 
and implementing Cisco security solutions 


Network Security 
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Cisco Secure Virtual Private Networks 4.7 


Required §=§ Recommended Training through 
Exam - Cisco Learning Partners 


642-501 _ Securing Cisco IOS Networks 


642-511 Cisco Secure Vi ite Networks 


642-531 : Cisco Secure Intrusion Detection System 


642-521 : Cisco Secure PIX Firewall Advanced 


642-541 : Cisco SAFE Impleme: 


www.cisco.com/go/training 
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Cisco Security Career Certifications 
es Cisco.com 


Enhance Your Cisco Certifications —— 
and Validate Your Areas of Expertise 


Cisco Firewall, VPN, and IDS Specialists 


Cisco Firewall Specialist 


tel] 


Cisco VPN Specialist 


Cisco IDS Specialist 


Required 
Exam 


Recommended Training through 
Cisco Learning Partners 
Pre-requisite: Valid CCNA certification 

i Securing Cisco IOS Networks 

| Cisco Secure PIX Fi Advanced 


642-501 
eazs2t 


Required | Recommended Training through 
Exam __.....Cisco Learning Partners 
Hl Pre-requisite: Valid CCNA certification 
642-501 : Securing Cisco IOS Networks 
642-511 : Cisco Secure Virtual Private Networks 


Required | Recommended Training through 
Exam _ Cisco Learning Partners 
em ~Pre-requisite: Valid CCNA certification 
642-501 | Securing Cisco IOS Networks 
ea ed 


' Cisco Secure Intrusi tection System 


www.cisco.com/go/training 
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Course Introduction 
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Lab Topology Overview 


This topic explains the three lab topologies that are used in this course. 


CSVPN Software Client-to-LAN 
Lab Visual Objective 


Cisco.com 


CA server 
ay 172.26.26.51 


172.26.26.P 


StudentPC 
VPN Client 


===!) Concentrator 
=) 


CSVPN 3002 Hardware Client-to-LAN 


Lab Visual Objective 
a Cisco.com 


; : Hardware Client 
192.168.1PP.2 a » 192.168.1PP.0 =. 


Student PC 
192.168.P.0 


Concentrator 


Web and 
FTP server 
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CSVPN LAN-to-LAN 


Lab Visual Objective 
aaa Cisco.com 


CA 
Server 


Pods 6-10 


192.168.P.0 RBB 492.168.0.0 


Concentrator 


Web and | ® € y Web and 
FTP server 2 z FTP server 


10.0.P.15 


Student PC Student PC 
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In this lab exercise each pair of students will be assigned a pod. In general, you will be setting 
up VPNs between your pod (Pod P) and your assigned peer pod (Pod Q). 


Note The P in a command indicates your pod number. The Q in a command indicates the pod 
number of your peer router. 
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Security Fundamentals 


Overview 


This lesson describes security fundamentals. It includes the following topics: 
m Objectives 

m Need for network security 

m Network security policy 

m The security wheel 

m Network attack taxonomy 

m= Management protocols and functions 


m= Summary 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
Re MMMM ~|~SS*S*«SCO.com 


Upon completion of this lesson, you will be able to 
perform the following tasks: 


Describe the need for network security. 
Identify the components of a complete security policy. 
Explain how security is an ongoing process. 


Describe the four types of security threats. 


Describe common attack methods and techniques used 
by hackers. 


List the general recommendations for mitigating common 
attack methods and techniques. 


Identify the security issues implicit in common 
management protocols. 
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Need for Network Security 


Over the past few years, Internet-enabled business, or e-business, has drastically improved 
companies’ efficiency and revenue growth. E-business applications such as e-commerce, supply- 
chain management, and remote access enable companies to streamline processes, lower 
operating costs, and increase customer satisfaction. Such applications require mission-critical 
networks that accommodate voice, video, and data traffic, and these networks must be scalable 
to support increasing numbers of users and the need for greater capacity and performance. 
However, as networks enable more and more applications and are available to more and more 
users, they become ever more vulnerable to a wider range of security threats. To combat those 
threats and ensure that e-business transactions are not compromised, security technology must 
play a major role in today’s networks. 


The Closed Network 


Cisco.com 


Closed network 


Remote site © Frame relay : 


\_ X.25 leased 
» * . 
ase. ' i line 
% : . 1 * ei = 


= ok 
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The closed network typically consists of a network designed and implemented in a corporate 
environment, and provides connectivity only to known parties and sites without connecting to 
public networks. Networks were designed this way in the past and thought to be reasonably 
secure because of no outside connectivity. 
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The Network Today 


Cisco.com 


Open network 


Mobile 
and 
remote - - 
users Internet 
Fe o_. 


af > 
( Internet-based 
‘\ extranet (VPN) 


Remote 
site 
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Networks of today are designed with availability to the Internet and public networks, which is a 
major requirement. Most of today’s networks have several access points to other networks both 
public and private; therefore, securing these networks has become fundamentally important. 
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Threat Capabilities—More 


Dangerous and Easier to Use 
eee Cisco.com 


Packet forging/ 
spoofing 


Stealth diagnostics 
Sophistication 


Ss 
Backes “nae of hacker tools 


Sniffers 
vulnerabilities Hijacking 
sessions 
isabling 


Self replicating 
code 


ee d Technical 
ees knowledge 
required 


Password 
guessing 
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With the development of large open networks there has been a huge increase in security threats 
in the past twenty years. Not only have hackers discovered more vulnerabilities, but the tools 
used and technical knowledge required to hack a network have become simpler. There are 
downloadable applications available that require little or no hacking knowledge to implement. 
There are also inherent applications for troubleshooting a network that when used improperly 
can pose severe threats. 
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The Role of Security is Changing 


a Cisco.com 


The need for security is 
becoming more important 
because of the following 
reasons: 


¢ Required for e-business 


* Required for communicating 
and doing business safely in 
potentially unsafe environments 


Result has been that networks 
require development and 
implementation of a corporate- 
wide security policy 
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Security has moved to the forefront of network management and implementation. It is necessary 
for the survival of many businesses to allow open access to network resources, and ensure that 
the data and resources are as secure as possible. 


The need for security is becoming more important because of the following: 


m™ Required for e-business—The importance of e-business and the need for private data to 
traverse public networks has increased the need for network security. 


m Required for communicating and doing business safely in potentially unsafe environments— 
Today’s business environment requires communication with many public networks and 
systems which increases the need for as much security as is possible when this type of 
communication is required. 


m Networks require development and implementation of a corporate-wide security policy— 


Establishing a security policy should be the first step in migrating a network to a secure 
infrastructure. 
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The E-Business Challenge 


Cisco.com 


in = a! Ley 
Internet E-commerce Supply chain Customer care 
business 
value 


Workforce E-learning 
optimization 


Business security 
requirements 
+ Defense-in-depth 
Multiple components 


Integration into e-business 
infrastructure 


Comprehensive blueprint 


Expanded access 
heightened security risks 
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Security must be a fundamental component of any e-business strategy. As enterprise network 
managers open their networks to more users and applications, they also expose these networks to 
greater risk. The result has been an increase in the business security requirements. 


The Internet has radically shifted expectations of companies’ abilities to build stronger 
relationships with customers, suppliers, partners, and employees. Driving companies to become 
more agile and competitive, e-business is giving birth to exciting new applications for e- 
commerce, supply-chain management, customer care, workforce optimization, and e-learning— 
applications that streamline and improve processes, speed up turnaround times, lower costs, and 
increase user satisfaction. 


E-business requires mission-critical networks that accommodate ever-increasing constituencies 
and demands for greater capacity and performance. These networks also need to handle voice, 
video, and data traffic as networks converge into multiservice environments. 
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Legal and Governmental 
Policy Issues 


Cisco.com 


* Organizations that operate 
vulnerable networks will face 
increasing and substantial 
liability. 

US Federal legislation 
mandating security includes the 
following: 
— GLB financial 
services legislation 


— Government Information 
Security Reform Act 


— HIPAA 
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The legal ramifications of breaches in data confidentiality and integrity can also be extremely 
costly for organizations. The US Government has enacted and is currently developing 
regulations to control the privacy of electronic information. The existing and pending regulations 
generally stipulate that organizations in violation could face a range of penalties. The following 
are some examples: 


m Gramm-Leach Bliley (GLB) Act—Includes several privacy regulations for US financial 
institutions. These institutions could face a range of penalties from termination of their FDIC 
insurance to up to US $1 million in monetary penalties. 


= Government Information Security Reform Act of 2000—Agencies must undergo annual self- 
assessments and independent assessments of their security practices and policies, which are 
required for submission. 


m The Health Insurance Portability and Accountability Act (HIPAA) of 1996 (Public Law 104- 
191)—Part of a broad Congressional attempt at incremental healthcare reform. The 
“administrative simplification” aspect of that law requires the United States Department of 
Health and Human Services (DHHS) to develop standards and requirements for maintenance 
and transmission of health information that identifies individual patients. These standards are 
designed to do the following: 


— Improve the efficiency and effectiveness of the healthcare system by standardizing the 
interchange of electronic data for specified administrative and financial transactions 


— Protect the security and confidentiality of electronic health information 
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Even if an external hacker is the perpetrator of an attack, the company storing that information 
can potentially be found negligent by the courts if the information was not adequately 
safeguarded. Furthermore, companies that suffer breaches in data integrity might be required to 
defend against lawsuits initiated by customers who are negatively affected by the incorrect or 
offensive data and seek monetary or punitive damages. 
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Network Security Policy 


A security policy can be as simple as an acceptable use policy for network resources or it can be 
several hundred pages in length and detail every element of connectivity and associated policies. 


What Is a Security Policy? 


Cisco.com 


“A security policy is a formal statement of 
the rules by which people who are given 
access to an organization’s technology and 
information assets must abide.” 


—(RFC 2196, Site Security Handbook) 


According to the Site Security Handbook (RFC 2196), “A security policy is a formal statement 
of the rules by which people who are given access to an organization’s technology and 
information assets must abide.” It further states, “A security policy is essentially a document 
summarizing how the corporation will use and protect its computing and network resources.” 
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Why Create a Security Policy? 
aaa Cisco.com 


To create a baseline of your current security posture 
To set the framework for security implementation 

To define allowed and not allowed behaviors 

To help determine necessary tools and procedures 
To communicate consensus and define roles 


To define how to handle security incidents 


Security policies provide many benefits and are worth the time and effort needed to develop 
them. Developing a security policy: 


m Provides a process to audit existing network security. 

m Provides a general security framework for implementing network security. 

m Defines which behavior is and is not allowed. 

m Helps determine which tools and procedures are needed for the organization. 


= Helps communicate consensus among a group of key decision makers and define 
responsibilities of users and administrators. 


m Defines a process for handling network security incidents. 
m= Enables global security implementation and enforcement. Computer security is now an 
enterprise-wide issue and computing sites are expected to conform to the network security 


policy. 


m™ Creates a basis for legal action if necessary. 
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What Should the 


Security Policy Contain? 
ey Cisco.com 


¢ Statement of authority and scope 
° Acceptable use policy 
° Identification and authentication policy 


° Internet use policy 


¢ Campus access policy 
¢ Remote access policy 
* Incident handling procedure 


The following are some of the key policy components: 


m Statement of authority and scope—This topic specifies who sponsors the security policy and 
what areas the policy covers. 


m Acceptable use policy—This topic specifies what the company will and will not allow 
regarding its information infrastructure. 


m Identification and authentication policy—This topic specifies what technologies, equipment, 
or combination of the two the company will use to ensure that only authorized individuals 


have access to its data. 


m Internet access policy—This topic specifies what the company considers ethical and proper 
use of its Internet access capabilities. 


m Campus access policy—This topic specifies how on-campus users will use the company’s 
data infrastructure. 


m Remote access policy—This topic specifies how remote users will access the company’s 
data infrastructure. 


m= Incident handling procedure—This topic specifies how the company will create an incident 
response team and the procedures it will use during and after and incident occurs. 
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The Security Wheel 


Cisco is serious about network security, and about its implications for the critical infrastructures 
on which this and other developed nations depend. This topic summarizes the view that network 
security is a continuous process. 


Network Security 
Is a Continuous Process 


Cisco.com 


Network security is a Secure 
continuous process 
built around a security 


policy: Improve unity \<—» I Monitor 
° Step 1: Secure 

° Step 2: Monitor 

° Step 3: Test 

¢ Step 4: Improve 


After setting appropriate policies, a company or organization must methodically consider 
security as part of normal network operations. This could be as simple as configuring routers to 
not accept unauthorized addresses or services, or as complex as installing firewalls, intrusion 
detection systems, centralized authentication servers, and encrypted virtual private networks. 


After developing a security policy, secure your network using a variety of point products 
(firewalls, intrusion detection, and so on.). Before you can secure your network, however, you 
need to combine your understanding of your users, the assets needing protection, and the 
network’s topology. 
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Secure the Network 
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Implement security Secure 
solutions to stop or 
prevent unauthorized 
access or activities, 
and to protect 
information: 


¢ Authentication 


Improve fe a Monitor 


° Encryption 
° Firewalls 
¢ Vulnerability patching 


The following are solutions identified to secure a network: 


m Authentication—The recognition of each individual user, and the mapping of their identity, 
location, and the time to policy; and the authorization of their network services and what 
they can do on the network. 


m= Encryption—A method for ensuring the confidentiality, integrity, and authenticity of data 
communications across a network. The Cisco solution combines several standards, including 


the Data Encryption Standard (DES). 


m Firewalls—A firewall is a set of related programs, located at a network gateway server, that 
protects the resources of a private network from users from other networks. 


m Vulnerability patching—The identification and patching of possible security “holes” that 
could compromise a network. 
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Monitor Security 
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° Detects violations to Secure 
the security policy 


* Involves system 
auditing and 
real-time intrusion 
detection 


° Validates the security 
implementation in 
Step 1 


Improve 


To ensure that a network remains secure, it is important to monitor the state of security 
preparation. Network vulnerability scanners can proactively identify areas of weakness, and 
IDSs can monitor and respond to security events as they occur. Using security monitoring 
solutions, organizations can obtain unprecedented visibility into both the network data stream 
and the security posture of the network. 


Copyright © 2005, Cisco Systems, Inc. Security Fundamentals 2-15 


Test Security 
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Secure 


Validates 
effectiveness of 
the security policy 
through system 
auditing and 
vulnerability 
scanning 


Improve fe <—> § Monitor 


Testing security is as important as monitoring. Without testing the security solutions in place, it 
is impossible to know about existing or new attacks. The hacker community is an ever-changing 
environment. You can perform this testing yourself or outsource it to a third party such as the 
Cisco Security Posture Assessment (SPA) group. 


The Cisco SPA is a premium network vulnerability assessment providing comprehensive insight 
into the security posture of a customer’s network. Delivered by highly expert Cisco Network 
Security Engineers (NSEs), the Cisco SPA includes an operational, granular analysis of large- 
scale, distributed service provider networks from the perspective of an outside “hacker.” 
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Improve Security 
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° Use information from 
the monitor and test 
phases to make 
improvements to the 
security Security |... Monitor 
implementation. 


¢ Adjust the security 
policy as security 
vulnerabilities and risks 
are identified. 
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Monitoring and testing provides the data necessary to improve network security. Administrators 
and engineers should use the information from the monitor and test phases to make 
improvements to the security implementation as well as adjust the security policy as 
vulnerabilities and risks are identified. 
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Network Attack Taxonomy 


This topic provides an overview of various network attacks and affects. 


Variety of Attacks 


soo = 


Dial-in 
exploitation 


Network attacks can 
be as varied as the 
systems that they 
attempt to penetrate. a 


Compromised 
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Without proper protection, any part of any network can be susceptible to attacks or unauthorized 
activity. Routers, switches, and hosts can all be violated by professional hackers, company 
competitors, or even internal employees. In fact, according to several studies, more than half of 
all network attacks are waged internally. The Computer Security Institute (CSI) in San Francisco 
estimates that between 60 and 80 percent of network misuse comes from inside the enterprises 
where the misuse has taken place. To determine the best ways to protect against attacks, IT 
managers should understand the many types of attacks that can be instigated and the damage that 
these attacks can cause to e-business infrastructures. 
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Network Security Threats 
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There are four general categories of 
security threats to the network: 


¢ Unstructured threats 
¢ Structured threats 


¢ External threats 
¢ Internal threats 


There are four general threats to network security: 


m= Unstructured threats—These threats primarily consist of random hackers using various 
common tools, such as malicious shell scripts, password crackers, credit card number 
generators, and dialer daemons. Although hackers in this category may have malicious 
intent, many are more interested in the intellectual challenge of cracking safeguards than 
creating havoc. 


m Structured threats—These threats are created by hackers who are more highly motivated and 
technically competent. Typically, such hackers act alone or in small groups to understand, 
develop, and use sophisticated hacking techniques to penetrate unsuspecting businesses. 
These groups are often involved with the major fraud and theft cases reported to law 
enforcement agencies. Occasionally, such hackers are hired by organized crime, industry 
competitors, or state-sponsored intelligence collection organizations. 


m External threats—These threats consist of structured and unstructured threats originating 
from an external source. These threats can have malicious and destructive intent, or simply 
be errors that generate a threat. 


m= = Internal threats—These threats are typically from disgruntled former or current employees. 
Although internal threats may seem more ominous than threats from external sources, 
security measures are available for reducing vulnerabilities to internal threats and responding 
when attacks occur. 


Copyright © 2005, Cisco Systems, Inc. Security Fundamentals 2-19 


Specific Attack Types 
a rey Cisco.com 


All of the following can be used 
to compromise your system: 
¢ Packet sniffers 
¢ IP weaknesses 
¢ Password attacks 
¢ DoS or DDoS 
¢ Man-in-the-middle attacks 
Application layer attacks 
Trust exploitation 
Port redirection 
Virus 
Trojan horse 
Operator error 


There are many common attacks that can occur against a network. Any of the following can be 
used to compromise your system: 


m Packet sniffers 

m IP weaknesses 

m Password attacks 

m Denial of service (DoS) or distributed denial of service (DDoS) 
m Man-in-the-middle attacks 

m Application layer attacks 

m= = Trust exploitation 

m@ Port redirection 

m Virus 

m Trojan horse 


m= Operator error 


2-20 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Packet Sniffers 
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Host A Host B 
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A packet sniffer is a software application that uses a network 
adapter card in promiscuous mode to capture all network packets. 
The following are the packet sniffer features: 


¢ Packet sniffers exploit information passed in clear text. Protocols that 
pass information in the clear include the following: 


— Telnet 
— FTP 
— SNMP 
— POP 
— HTTP 
* Packet sniffers must be on the same collision domain. 
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A packet sniffer is a software application that uses a network adapter card in promiscuous mode 
(a mode in which the network adapter card sends all packets received on the physical network 
wire to an application for processing) to capture all network packets that are sent across a LAN. 


Several network applications distribute network packets in clear text; that is, the information sent 
across the network is not encrypted. Because the network packets are not encrypted, they can be 
processed and understood by any application that can pick them up off the network and process 
them. 


A network protocol specifies how packets are identified and labeled, which enables a computer 
to determine whether a packet is intended for it. Because the specifications for network 
protocols, such as TCP/IP, are widely published, a third party can easily interpret the network 
packets and develop a packet sniffer. (The real threat today results from the numerous freeware 
and shareware packet sniffers that are available, which do not require the user to understand 
anything about the underlying protocols.) 
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Packet Sniffer Example 
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There are two primary types of packet 


sniffers: 
¢ General purpose sniffers 
° Sniffers designed for attack purpose 


A packet sniffer can provide its user with meaningful and often sensitive information, such as 
user account names and passwords. If you use networked databases, a packet sniffer can provide 
an attacker with information that is queried from the database, as well as the user account names 
and passwords used to access the database. One serious problem with acquiring user account 
names and passwords is that users often reuse their login names and passwords across multiple 
applications. 


In addition, many network administrators use packet sniffers to diagnose and fix network-related 
problems. Because in the course of their usual and necessary duties these network administrators 
(such as those in a payroll department) work during regular employee hours, they can potentially 
examine sensitive information distributed across the network. 


Many users employ a single password for access to all accounts and applications. Because 

attackers know and use human characteristics (attack methods known collectively as social 
engineering attacks), such as using a single password for multiple accounts, they are often 

successful in gaining access to sensitive information. 


There are two primary types of packet sniffers: 
m General purpose 

— Captures all packets 

— Included with some operating systems 


— Freeware and shareware versions available 
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m Designed for attack purpose 
— Captures first 300 to 400 bytes 


— Typically captures login sessions (File Transfer Protocol [FTP], rlogin, and Telnet) 
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Packet Sniffer Mitigation 
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The following techniques and tools can be used to mitigate sniffers: 


Authentication—A first option for defense against packet sniffers is to 
use strong authentication, such as one-time passwords. 


Switched infrastructure—Deploy a switched infrastructure to counter 
the use of packet sniffers in your environment. 


Antisniffer tools—Use these tools to employ software and hardware 
designed to detect the use of sniffers on a network. 


Cryptography—The most effective method for countering packet 
sniffers does not prevent or detect packet sniffers, but rather renders 
them irrelevant. 


The following techniques and tools can be used to mitigate packet sniffers: 


= Authentication—Using strong authentication is a first-option for defense against packet 
sniffers. Strong authentication can be broadly defined as a method of authenticating users 
that cannot easily be circumvented. A common example of strong authentication is one-time 
passwords (OTPs). 


An OTP is a type of two-factor authentication. Two-factor authentication involves using 
something you have combined with something you know. Automated teller machines 
(ATMs) use two-factor authentication. A customer needs both an ATM card and a personal 
identification number (PIN) to make transactions. With OTPs you need a PIN and your 
token card to authenticate to a device or software application. A token card is a hardware or 
software device that generates new, seemingly random, passwords at specified intervals 
(usually 60 seconds). A user combines that random password with a PIN to create a unique 
password that works only for one instance of authentication. If a hacker learns that password 
by using a packet sniffer, the information is useless because the password has already 
expired. Note that this mitigation technique is effective only against a sniffer implementation 
that is designed to grab passwords. Sniffers deployed to learn sensitive information (such as 
mail messages) will still be effective. 


m= Switched infrastructure—This can be used to counter the use of packet sniffers in your 
network environment. For example, if an entire organization deploys switched Ethernet, 
hackers can gain access only to the traffic that flows on the specific port to which they 
connect. A switched infrastructure obviously does not eliminate the threat of packet sniffers, 
but it can greatly reduce their effectiveness. 
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= Antisniffer tools—Employing software and hardware designed to detect the use of sniffers 
on a network. Such software and hardware does not completely eliminate the threat, but like 
many network security tools, they are part of the overall system. These so-called 
“antisniffers” detect changes in the response time of hosts to determine if the hosts are 
processing more traffic than their own. One such network security software tool, which is 
available from Security Software Technologies, is called AntiSniff. 


m Cryptography—Rendering packet sniffers irrelevant, which is the most effective method for 
countering packet sniffers—even more effective than preventing or detecting packet sniffers. 
If a communication channel is cryptographically secure, the only data a packet sniffer will 
detect is cipher text (a seemingly random string of bits) and not the original message. The 
Cisco deployment of network-level cryptography is based on IPSec, which is a standard 
method for networking devices to communicate privately using IP. Other cryptographic 
protocols for network management include Secure Shell Protocol (SSH) and Secure Sockets 
Layer (SSL). 
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IP Spoofing 
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* IP spoofing occurs when a hacker inside or outside a network 
impersonates the conversations of a trusted computer. 


¢ Two general techniques are used during IP spoofing: 


— A hacker uses an IP address that is within the range of 
trusted IP addresses. 


— A hacker uses an authorized external IP address that is 
trusted. 


¢ Uses for IP spoofing include the following: 


— IP spoofing is usually limited to the injection of malicious 
data or commands into an existing stream of data. 


— If a hacker changes the routing tables to point to the spoofed 
IP address, then the hacker can receive all the network 
packets that are addressed to the spoofed address and reply 
just as any trusted user can. 


An IP spoofing attack occurs when an attacker outside your network pretends to be a trusted 
computer, either by using an IP address that is within the range of IP addresses for your network 
or by using an authorized external IP address that you trust and to which you wish to provide 
access to specified resources on your network. 


Normally, an IP spoofing attack is limited to the injection of data or commands into an existing 
stream of data passed between a client and server application or a peer-to-peer network 
connection. To enable bi-directional communication, the attacker must change all routing tables 
to point to the spoofed IP address. Another approach the attacker could take is to simply not 
worry about receiving any response from the applications. For example, if an attacker is 
attempting to get a system to mail him or her a sensitive file, application responses are 
unimportant. 


However, if an attacker manages to change the routing tables to point to the spoofed IP address, 
he can receive all the network packets that are addressed to the spoofed address and reply just as 
any trusted user can. Like packet sniffers, IP spoofing is not restricted to people who are external 
to the network. 


Although not as common, IP spoofing can also gain access to user accounts and passwords, and 
it can also be used in other ways. For example, an attacker can emulate one of your internal users 
in ways that prove embarrassing for your organization; the attacker could send e-mail messages 
to business partners that appear to have originated from someone within your organization. Such 
attacks are easier when an attacker has a user account and password, but they are possible by 
combining simple spoofing attacks with knowledge of messaging protocols. 
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IP Spoofing Mitigation 
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The threat of IP spoofing can be reduced, but not 
eliminated, through the following measures: 


« Access control—The most common method for preventing IP 
spoofing is to properly configure access control. 


¢ RFC 2827 filtering—Prevent any outbound traffic on your 
network that does not have a source address in your 
organization’s own IP range. 


¢ Additional authentication that does not use IP-based 
authentication—Examples of this include the following: 


— Cryptographic (recommended) 
— Strong, two-factor, one-time passwords 


The threat of IP spoofing can be reduced, but not eliminated, through the following measures: 


m™ Access control—The most common method for preventing IP spoofing is to properly 
configure access control. To reduce the effectiveness of IP spoofing, configure access 
control to deny any traffic from the external network that has a source address that should 
reside on the internal network. Note that this helps prevent spoofing attacks only if the 
internal addresses are the only trusted addresses. If some external addresses are trusted, this 
method is not effective. 


m RFC 2827 filtering—Y ou can prevent users of your network from spoofing other networks 
(and be a good Internet citizen at the same time) by preventing any outbound traffic on your 
network that does not have a source address in your organization's own IP range. 


This filtering denies any traffic that does not have the source address that was expected on a 
particular interface. For example, if an ISP is providing a connection to the IP address 
15.1.1.0/24, the ISP could filter traffic so that only traffic sourced from address 15.1.1.0/24 
can enter the ISP router from that interface. Note that unless all ISPs implement this type of 
filtering, its effectiveness is significantly reduced. 


m Additional Authentication—The most effective method for mitigating the threat of IP 
spoofing is the same as the most effective method for mitigating the threat of packet sniffers: 
namely, eliminating its effectiveness. IP spoofing can function correctly only when devices 
use IP address-based authentication; therefore, if you use additional authentication methods, 
IP spoofing attacks are irrelevant. Cryptographic authentication is the best form of additional 
authentication, but when that is not possible, strong two-factor authentication using OTP can 
also be effective. 


Copyright © 2005, Cisco Systems, Inc. Security Fundamentals 2-27 


DoS 


a Cisco.com 


DoS attacks focus on making a service 
unavailable for normal use. They have the 
following characteristics: 


Different from most other attacks because they are 
generally not targeted at gaining access to your network 
or the information on your network 


Require very little effort to execute 
¢ Among the most difficult to completely eliminate 


DoS attacks are different from most other attacks because they are not targeted at gaining access 
to your network or the information on your network. These attacks focus on making a service 
unavailable for normal use, which is typically accomplished by exhausting some resource 
limitation on the network or within an operating system or application. These attacks require 
little effort to execute because they typically take advantage of protocol weaknesses or the 
attacks are carried out using traffic that would normally be allowed into a network. DoS attacks 
are among the most difficult to completely eliminate because of the way they use protocol 
weaknesses and “native” traffic to attack a network. 
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DDoS Example 
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infect agents. 


systems 
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DDoS attacks are the “next generation” of DoS attacks on the Internet. This type of attack is not 
new—UDP and TCP SYN flooding, Internet Control Message Protocol (ICMP) echo request 
floods, and ICMP directed broadcasts (also known as smurf attacks) are similar—but the scope 
certainly is new. Victims of DDoS attacks experience packet flooding from many different 
sources, possibly spoofed IP source addresses, that bring their network connectivity to a grinding 
halt. In the past, the typical DoS attack involved a single attacker’s attempt to flood a target host 
with packets. With DDoS tools, an attacker can conduct the same attack using thousands of 
systems. 


In the figure the hacker uses their terminal to scan for systems to hack. When the handler 
systems are accessed, the hacker then installs software on them to scan for, compromise, and 
infect Agent systems. When the Agent systems are accessed the hacker then loads remote control 
attack software to carry out the DoS attack. 
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The threat of DoS attacks can be reduced 
through the following three methods: 


* Antispoof features—Proper configuration of 


antispoof features on your routers and firewalls 


° Anti-DoS features—Proper configuration of 
anti-DoS features on routers and firewalls 


° Traffic rate limiting—Implement traffic rate 
limiting with the networks ISP 


When involving specific network server applications, such as a HTTP server or a File Transfer 
Protocol (FTP) server, these attacks can focus on acquiring and keeping open all the available 
connections supported by that server, effectively locking out valid users of the server or service. 
DoS attacks can also be implemented using common Internet protocols, such as TCP and ICMP. 
While most DoS attacks exploit a weakness in the overall architecture of the system being 
attacked rather than a software bug or security hole, some attacks compromise the performance 
of your network by flooding the network with undesired, and often useless, network packets and 
by providing false information about the status of network resources. 


The threat of DoS attacks can be reduced through the following three methods: 


m= Antispoof features—Proper configuration of antispoof features on your routers and firewalls 
can reduce your risk. This configuration includes RFC 2827 filtering at a minimum. If 
hackers cannot mask their identities, they might not attack. 


m Anti-DoS features—Proper configuration of anti-DoS features on routers and firewalls can 
help limit the effectiveness of an attack. These features often involve limits on the amount of 
half-open connections that a system allows open at any given time. 


m = Traffic rate limiting—An organization can implement traffic rate limiting with its ISP. This 
type of filtering limits the amount of nonessential traffic that crosses network segments at a 
certain rate. A common example is to limit the amount of ICMP traffic allowed into a 
network because it is used only for diagnostic purposes. ICMP-based DDoS attacks are 
common. 
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Hackers can implement 
password attacks using 


Authorization, 
. 
several different Ez — 


methods: Password i“ —sisSY Cancel 
* Brute-force attacks __ Hee | 


° Trojan horse programs 


¢ IP spoofing 


¢ Packet sniffers 


Password attacks can be implemented using several different methods, including brute-force 
attacks, Trojan horse programs (discussed later in the lesson), IP spoofing, and packet sniffers. 
Although packet sniffers and IP spoofing can yield user accounts and passwords, password 
attacks usually refer to repeated attempts to identify a user account, password, or both. These 
repeated attempts are called brute-force attacks. 


Often a brute-force attack is performed using a program that runs across the network and 
attempts to log in to a shared resource, such as a server. When an attacker successfully gains 
access to a resource, he or she has the same rights as the user whose account has been 
compromised to gain access to that resource. If this account has sufficient privileges, the attacker 
can create a back door for future access, without concern for any status and password changes to 
the compromised user account. 
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Just as with packet sniffers and IP spoofing attacks, a brute-force password attack can provide 
access to accounts that can be used to modify critical network files and services. An example 
that compromises your network’s integrity is an attacker modifying the routing tables for your 
network. By doing so, the attacker ensures that all network packets are routed to him or her 
before they are transmitted to their final destination. In such a case, an attacker can monitor all 
network traffic, effectively becoming a man in the middle. 


The following are the two different methods for computing passwords with LOphtCrack: 


m Dictionary cracking—The password hashes for all of the words in a dictionary file are 
computed and compared against all of the password hashes for the users. This method is 
extremely fast and finds very simple passwords. 


m= Brute force computation—This method uses a particular character set such as A—Z, or A-Z 
plus 0-9 and computes the hash for every possible password made up of those characters. It 
will always compute the password if it is made up of the character set you have selected to 
test. The downside is that time is required for completion of this type of attack. 
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The following are mitigation techniques: 


¢ Do not allow users to use the same password on multiple 
systems. 


¢ Disable accounts after a certain number of unsuccessful 


login attempts. 


¢ Do not use plain text passwords. An OTP ora 
cryptographic password is recommended. 


¢ Use “strong” passwords. Strong passwords are at least 
eight characters long and contain uppercase letters, 
lowercase letters, numbers, and special characters. 


The following are password attack mitigation techniques: 


= Do not allow users to have the same password on multiple systems—Most users will use the 
same password for each system they access, and often personal system passwords will be the 
same as well. 


m Disable accounts after unsuccessful logins—This helps to prevent continuous password 
attempts. 


= Do not use plain text passwords—Use of either an OTP or encrypted password is 
recommended. 


m Use “strong” passwords—Many systems now provide strong password support and can 
restrict a user to only the use of strong passwords. Strong passwords are at least eight 
characters long and contain uppercase letters, lowercase letters, numbers, and special 
characters. 
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A man-in-the-middle attack requires that the hacker have access 
to network packets that come across a network. 


A man-in-the-middle attack is implemented using the following: 
— Network packet sniffers 
— Routing and transport protocols 
Possible man-in-the-middle attack uses include the following: 
— Theft of information 
— Hijacking of an ongoing session 
— Traffic analysis 
— DoS 
— Corruption of transmitted data 
Introduction of new information into network sessions 
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A man-in-the-middle attack requires that the attacker have access to network packets that come 
across the networks. Such attacks are often implemented using network packet sniffers and 
routing and transport protocols. The possible uses of such attacks are theft of information, 
hijacking of an ongoing session to gain access to your internal network resources, traffic analysis 
to derive information about your network and its users, denial of service, corruption of 
transmitted data, and introduction of new information into network sessions. 


An example of a man-in-the-middle attack could be someone who is working for your ISP, who 
can gain access to all network packets transferred between your network and any other network. 
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Man-in-the-Middle Mitigation 
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A man-in-the-middle attack 
can only see cipher text 


IPSec tunnel 


Router A Router B 


Man-in-the-middle attacks can be effectively mitigated 
only through the use of cryptography (encryption). 
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Man-in-the-Middle attack mitigation is achieved, as shown in the figure, by encrypting traffic in 
an IPSec tunnel, which would only allow the hacker to see cipher text. 
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Application layer attacks have 
the following characteristics: 


° Exploit well known Application 
weaknesses, such as : 
protocols, that are intrinsic to Presentation 
an application or system (for 5 
example, sendmail, HTTP, and Session 


FTP) 
Often use ports that are Transport 


allowed through a firewall (for 


example, TCP port 80 used in Network 
an attack against a web server 


behind a firewall) Data Link 


Can never be completely 


eliminated, because new Physical 


vulnerabilities are always 
being discovered 
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Application-layer attacks can be implemented using several different methods: 


m One of the most common methods is exploiting well known weaknesses in software 
commonly found on servers, such as sendmail, PostScript, and FTP. By exploiting these 
weaknesses, attackers can gain access to a computer with the permissions of the account 
running the application, which is usually a privileged, system-level account. 


m Trojan horse program attacks are implemented using programs that an attacker substitutes 
for common programs. These programs may provide all the functionality that the normal 
program provides, but also include other features that are known to the attacker, such as 
monitoring login attempts to capture user account and password information. These 
programs can capture sensitive information and distribute it back to the attacker. They can 
also modify application functionality, such as applying a blind carbon copy to all e-mail 
messages so that the attacker can read all of your organization’s e-mail. 


One of the oldest forms of application-layer attacks is a Trojan horse program that displays a 
screen, banner, or prompt that the user believes is the valid login sequence. The program 
then captures the information that the user enters and stores or e-mails it to the attacker. 
Next, the program either forwards the information to the normal login process (normally 
impossible on modern systems), or simply sends an expected error to the user (for example, 
Bad Username/Password Combination), exits, and starts the normal login sequence. The 
user, believing that they have incorrectly entered the password (a common mistake 
experienced by everyone), re-enters the information and is allowed access. 


m One of the newest forms of application-layer attacks exploits the openness of several new 
technologies: the HTML specification, web browser functionality, and HTTP. These attacks, 
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which include Java applets and ActiveX controls, involve passing harmful programs across 
the network and loading them through a user’s browser. 
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Application Layer Attacks Mitigation 
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Some measures you can take to reduce your risks 
are as follows: 


¢ Read operating system and network log files, or have 
them analyzed by log analysis applications. 


¢ Subscribe to mailing lists that publicize vulnerabilities. 


¢ Keep your operating system and applications current 
with the latest patches. 


e IDSs can scan for known attacks, monitor and log 
attacks, and in some cases, prevent attacks. 


The following are some measures you can take to reduce your risks for application layer attacks: 


m™ Read operating system and network log files or have them analyzed—lIt is important to 
review all logs and take action accordingly. 


m Subscribe to mailing lists that publicize vulnerabilities—Most application and operating 
system vulnerabilities are published on the Web at various sources. 


m Keep your operating system and applications current with the latest patches—Always test 
patches and fixes in a non-production environment. This prevents downtime and errors from 
being generated unnecessarily. 


m Intrusion detection systems (IDSs) can scan for known attacks, monitor and log attacks, and 


in some cases, prevent attacks—The use of IDSs can be essential to identifying security 
threats and mitigating some of those threats, and, in most cases, it can be done automatically. 
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Network reconnaissance refers to the 


overall act of learning information about a 
target network by using publicly available 
information and applications. 


Network Reconnaissance refers to the overall act of learning information about a target network 
by using publicly available information and applications. When hackers attempt to penetrate a 
particular network, they often need to learn as much information as possible about the network 
before launching attacks. Examples include DNS queries, ping sweeps, and port scans: 


m= Domain Name System (DNS) queries—Reveals such information as who owns a particular 
domain and what addresses have been assigned to that domain. 


m Ping sweeps—Presents a picture of the live hosts in a particular environment. 


m™ Port scans—Cycles through all well known ports to provide a complete list of all services 
running on the hosts. 
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Network Reconnaissance Example 
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The figure demonstrates how existing Internet tools can be used for network reconnaissance (for 
example, an IP address query or a Domain Name query). 


DNS queries can reveal such information as who owns a particular domain and what addresses 
have been assigned to that domain. Ping sweeps of the addresses revealed by the DNS queries 
can present a picture of the live hosts in a particular environment. After such a list is generated, 
port scanning tools can cycle through all well known ports to provide a complete list of all 
services running on the hosts discovered by the ping sweep. Finally, the hackers can examine the 
characteristics of the applications that are running on the hosts. This can lead to specific 
information that is useful when the hacker attempts to compromise that service. 


IP address queries can reveal information such as who owns a particular IP address or range of 
addresses and what domain is associated to them. 
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Network Reconnaissance Mitigation 
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¢ Network reconnaissance cannot be prevented 
entirely. 


° IDSs at the network and host levels can usually 
notify an administrator when a reconnaissance 
gathering attack (for example, ping sweeps and 
port scans) is under way. 


If ICMP echo and echo-reply is turned off on edge routers (for example, ping sweeps can be 
stopped, but at the expense of network diagnostic data), port scans can still be run without full 
ping sweeps They simply take longer because they need to scan IP addresses that might not be 
live. 


IDSs at the network and host levels can usually notify an administrator when a reconnaissance 
gathering attack is underway. This allows the administrator to better prepare for the coming 
attack or to notify the ISP who is hosting the system that it is launching the reconnaissance 
probe. 
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Trust Exploitation 


° A hacker 
leverages existing 
trust relationships 


* Several trust 
models exist Systemic 


— Windows User = psmith; Pat Smith 


* Domains 


° Active 
directory 


— Linux and 
UNIX 


° NFS 
° NIS+ 


Hacker 
gains 
access to 
SystemA 


4 


Hacker 
User = psmith; Pat Smithson 
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SystemA Trusts SystemB 
SystemB Trusts Everyone 


SystemA Trusts Everyone 


oo 


SystemB - Compromised by hacker 
User = psmith; Pat Smith 


While not an attack in and of itself, trust exploitation refers to an attack where an individual 


takes advantage of a trust relationship within a network. The classic example is a perimeter 
network connection from a corporation. These network segments often house DNS, SMTP, and 


HTTP servers. Because they all reside on the same segment, a compromise of one system can 


lead to the compromise of other systems because they might trust other systems attached to their 
same network. Another example is a system on the outside of a firewall that has a trust 


relationship with a system on the inside of a firewall. When the outside system is compromised, 


it can leverage that trust relationship to attack the inside network. 
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Trust Exploitation Mitigation 


SystemA 
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Hacker 
blocked 
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Systems on the 
outside of a firewall 
should never be 
absolutely trusted by 
systems on the inside 
of a firewall. 


Such trust should be 
limited to specific 
protocols and should 
be validated by 
something other than 
an IP address where 
possible. 


You can mitigate trust and exploitation-based attacks through tight constraints on trust levels 
within a network. Systems on the outside of a firewall should never be absolutely trusted by 
systems on the inside of a firewall. Such trust should be limited to specific protocols and should 


be authenticated by something other than an IP address where possible. 
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Port Redirection 
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Source: Attacker Source: Attacker 


Destination: A Destination: B 
Attacker Port: 22 


Port: 23 


° Port redirection is a type 
of trust-exploitation 
attack that uses a 
compromised host to 
pass traffic through a 
firewall that would 
otherwise be dropped. 

It is mitigated primarily 
through the use of 
proper trust models. 


Antivirus software and — Source: A 
host-based IDS can help (wr - Destination: B 
detect and prevent a C es *% Port: 23 
hacker installing port ES 

redirection utilities on 

the host. 


Compromised 
Host A 
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Port redirection attacks are a type of trust exploitation attack that uses a compromised host to 
pass traffic through a firewall that would otherwise be dropped. Consider a firewall with three 
interfaces and a host on each interface. The host on the outside can reach the host on the public 
services segment (commonly referred to as a Demilitarized Zone [DMZ]), but not the host on the 
inside. The host on the public services segment can reach the host on both the outside and the 
inside. If hackers were able to compromise the public services segment host, they could install 
software to redirect traffic from the outside host directly to the inside host. Though neither 
communication violates the rules implemented in the firewall, the outside host has now achieved 
connectivity to the inside host through the port redirection process on the public services host. 
An example of an application that can provide this type of access is netcat. 


Port redirection can primarily be mitigated through the use of proper trust models, which are 
network specific (as mentioned earlier). Assuming a system under attack, a host-based IDS can 
help detect and prevent a hacker installing such utilities on a host. 
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Unauthorized Access 
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UNAUTHORIZED ACCESS TO THIS NETWORK DEVICE IS 
PROHIBITED. 


Disconnect 


« Unauthorized access includes any unauthorized attempt to access a private 
resource: 


— Nota specific type of attack 
— Refers to most attacks executed in networks today 
— Initiated on both the outside and inside of a network 
* The following are mitigation techniques for unauthorized access attacks: 
— Eliminate the ability of a hacker to gain access to a system 


— Prevent simple unauthorized access attacks, which is the primary function 
of a firewall 
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While not a specific type of attack, unauthorized access attacks refer to the majority of attacks 
executed in networks today. In order for someone to brute-force a Telnet login, they must first 
get the Telnet prompt on a system. Upon connection to the Telnet port, the hacker might see the 
message “authorization required to use this resource.” If the hacker continues to attempt access, 
the hacker’s actions become “unauthorized.” These kinds of attacks can be initiated both on the 
outside and inside of a network. 


Mitigation techniques for unauthorized access attacks are very simple. They involve reducing or 
eliminating the ability of a hacker to gain access to a system using an unauthorized protocol. An 
example would be preventing hackers from having access to the Telnet port on a server that 
needs to provide web services to the outside. If a hacker cannot reach that port, it is very difficult 
to attack it. The primary function of a firewall in a network is to prevent simple unauthorized 
access attacks. 
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Virus and Trojan Horses 
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¢ Viruses refer to malicious software that are attached to 
another program to execute a particular unwanted 
function on a user’s workstation. End-user workstations 
are the primary targets. 


¢ A Trojan horse is different only in that the entire 
application was written to look like something else, when 
in fact it is an attack tool. A Trojan horse is mitigated by 
antivirus software at the user level and possibly the 
network level. 


The primary vulnerabilities for end-user workstations are viruses and Trojan horse attacks. 
Viruses refer to malicious software that is attached to another program to execute a particular 
unwanted function on a user’s workstation. An example of a virus is a program that is attached 
to command.com (the primary interpreter for windows systems), which deletes certain files and 
infects any other versions of command.com that it can find. 


A Trojan horse is different only in that the entire application was written to look like something 
else, when in fact it is an attack tool. An example of a Trojan horse is a software application that 
runs a simple game on the user’s workstation. While the user is occupied with the game, the 
Trojan horse mails a copy of itself to every user in the user’s address book. Then other users 
receive the game and play it, thus spreading the Trojan horse. 


These kinds of applications can be contained through the effective use of antivirus software at 
the user level and potentially at the network level. Antivirus software can detect most viruses 
and many Trojan horse applications and prevent them from spreading in the network. Keeping 
up-to-date with the latest developments in these sorts of attacks can also lead to a more effective 
posture against these attacks. As new virus or Trojan applications are released, enterprises need 
to keep up-to-date with the latest antivirus software, and application versions. 
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Management Protocols and Functions 


The protocols used to manage your network can in themselves be a source of vulnerability. This 
topic examines common management protocols and how they can be exploited. 


Configuration Management 


Cisco.com 


¢ Configuration management protocols include SSH, SSL, 
and Telnet. 


¢ Telnet issues include the following: 


— The data within a Telnet session is sent as clear text, 
and may be intercepted by anyone with a packet sniffer 
located along the data path between the device and the 
management server. 


— The data may include sensitive information, such as 
the configuration of the device itself, passwords, and 
so on. 


If the managed device does not support any of the recommended protocols, such as SSH and 
SSL, Telnet may have to be used (although this protocol is not highly recommended). The 
network administrator should recognize that the data within a Telnet session is sent as clear text, 
and may be intercepted by anyone with a packet sniffer located along the data path between the 
managed device and the management server. The clear text may include important information, 
such as the configuration of the device itself, passwords, and other sensitive data. 
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Configuration Management 


Recommendations 
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When possible, the following practices are 
advised: 


¢ Use IPSec, SSH, SSL, or any other encrypted and 
authenticated transport. 


¢ ACLs should be configured to allow only management 
servers to connect to the device. All attempts from other 
IP addresses should be denied and logged. 


¢ RFC 2827 filtering at the perimeter router should be used 
to mitigate the chance of an outside attacker spoofing the 
addresses of the management hosts. 


Regardless of whether SSH, SSL, or Telnet is used for remote access to the managed device, 
access control lists (ACLs) should be configured to allow only management servers to connect to 
the device. All attempts from other IP addresses should be denied and logged. RFC 2827 
filtering at the ingress router should also be implemented to mitigate the chance of an attacker 
from outside the network spoofing the addresses of the management hosts. 
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SNMP 
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¢ SNMP is a network management protocol that can be used to retrieve 
information from a network device. The TCP and UDP ports SNMP 
uses are 161 and 162. 


¢ The following are SNMP issues: 


— SNMP uses passwords, called community strings, within each 
message as a very simple form of security. Most implementations 
of SNMP on networking devices today send the community string 
in clear text. 


— SNMP messages may be intercepted by anyone with a packet 
sniffer located along the data path between the device and the 
management server, and the community string may be 
compromised. 


— An attacker could reconfigure the device if read-write access via 
SNMP is allowed. 


* The following are SNMP recommendations: 
— Configure SNMP with only read-only community strings. 


— Set up access control on the device you wish to manage via SNMP 
to allow only the appropriate management hosts access. 
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SNMP is a network management protocol that can be used to retrieve information from a 
network device (commonly referred to as read-only access) or to remotely configure parameters 
on the device (commonly referred to as read-write access). SNMP uses passwords, called 
community strings, within each message as a very simple form of security. Unfortunately, most 
implementations of SNMP on networking devices today send the community string in clear text 
along with the message. Therefore, SNMP messages may be intercepted by anyone with a packet 
sniffer located along the data path between the device and the management server, and the 
community string may be compromised. 


When the community string is compromised, an attacker could reconfigure the device if read- 
write access via SNMP is allowed. Therefore, it is recommended that you configure SNMP with 
only read-only community strings. You can further protect yourself by setting up access control 
on the device you wish to manage via SNMP to allow only the appropriate management hosts 
access. 
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ey Cisco.com 


Logging issues include the following: 


¢ Syslog is sent as clear text between the managed device 
and the management host on UDP port 514. 


¢ Syslog has no packet-level integrity checking to ensure 


that the packet contents have not been altered in transit. 


¢ There is a potential for the Syslog data to be falsified by 
an attacker. 


¢ An attacker can send large amounts of false Syslog data 
to a management server in order to confuse the network 
administrator during an attack. 


Syslog, which is information generated by a device that has been configured for logging, is sent 
as clear text between the managed device and the management host. Syslog has no packet-level 

integrity checking to ensure that the packet contents have not been altered in transit. An attacker 
may alter Syslog data in order to confuse a network administrator during an attack. 
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Logging Recommendations 
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When possible, the following practices are 
advised: 


¢ Encrypt Syslog traffic within an IPSec tunnel. 


¢ When allowing Syslog access from devices on the 
outside of a firewall, you should implement RFC 2827 
filtering at the perimeter router. 


¢ ACLs should also be implemented on the firewall in order 
to allow Syslog data from only the managed devices 
themselves to reach the management hosts. 


Where possible, Syslog traffic may be encrypted within an IPSec tunnel in order to mitigate the 
chance of its being altered in transit. Where the Syslog data cannot be encrypted within an IPSec 
tunnel because of cost or the capabilities of the device itself, the network administrator should 
note that there is a potential for the Syslog data to be falsified by an attacker. 


When allowing Syslog access from devices on the outside of a firewall, RFC 2827 filtering at the 
egress router should be implemented. This scenario will mitigate the chance of an attacker from 
outside the network spoofing the address of the managed device, and sending false Syslog data 
to the management hosts. 


ACLs should also be implemented on the firewall in order to allow Syslog data from only the 
managed devices themselves to reach the management hosts. This scenario prevents an attacker 
from sending large amounts of false Syslog data to a management server in order to confuse the 
network administrator during an attack. 
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TFTP 
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¢ Many network devices use TFTP for transferring 
configuration or system files across the network. TFTP 
uses port 69 for both TCP and UDP. 


¢ The following are TFTP issues: 


— TFTP uses UDP for the data stream between the device 
and the TFTP server. 


— TFTP sends data in clear text. The network 
administrator should recognize that the data within a 
TFTP session may be intercepted by anyone with a 
packet sniffer located along the data path between the 
requesting host and the TFTP server. 


e When possible, TFTP traffic should be encrypted within 
an IPSec tunnel in order to mitigate the chance of its 
being intercepted. 


Many network devices use TFTP for transferring configuration or system files across the 
network. TFTP uses UDP for the data stream between the requesting host and the TFTP server. 


As with other management protocols that send data in clear text, the network administrator 
should recognize that the data within a TFTP session might be intercepted by anyone with a 
packet sniffer located along the data path between the device and the management server. Where 
possible, TFTP traffic should be encrypted within an IPSec tunnel in order to mitigate the chance 
of its being intercepted. 
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NTP is used to synchronize the clocks of various devices across a network. It 
is critical for digital certificates, and for correct interpretation of events within 
Syslog data. NTP uses port 123 for both UDP and TCP connections. 


The following are NTP issues: 


— An attacker could attempt a DoS attack on a network by sending bogus NTP 
data across the Internet in an attempt to change the clocks on network 
devices in such a manner that digital certificates are considered invalid. 


— An attacker could attempt to confuse a network administrator during an 
attack by disrupting the clocks on network devices. 


— Many NTP servers on the Internet do not require any authentication of 
peers. 


The following are NTP recommendations: 
— Implement your own master clock for the private network synchronization. 


— Use NTP Version 3 or above as these versions support a cryptographic 
authentication mechanism between peers. 


— Use ACLs that specify which network devices are allowed to synchronize 
with other network devices. 
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Network Time Protocol (NTP) is used to synchronize the clocks of various devices across a 
network. Synchronization of the clocks within a network is critical for digital certificates, and for 
correct interpretation of events within Syslog data. 


A secure method of providing clocking for the network is for the network administrator to 
implement their own master clock for the private network synchronized to Coordinated 
Universal Time (UTC) via satellite or radio. However, clock sources are available to synchronize 
to via the Internet, if the network administrator does not wish to implement their own master 
clock because of costs or other reasons. 


An attacker could attempt a DoS attack on a network by sending bogus NTP data across the 
Internet in an attempt to change the clocks on network devices in such a manner that digital 
certificates are considered invalid. Further, an attacker could attempt to confuse a network 
administrator during an attack by disrupting the clocks on network devices. This scenario would 
make it difficult for the network administrator to determine the order of Syslog events on 
multiple devices. 


Version 3 and above of NTP supports a cryptographic authentication mechanism between peers. 
The use of the authentication mechanism as well as ACLs that specify which network devices 
are allowed to synchronize with other network devices is recommended to help mitigate against 
such a scenario. The network administrator should weigh the cost benefits of pulling clock 
information from the Internet with the possible risk of doing so and allowing it through the 
firewall. Many NTP servers on the Internet do not require any authentication of peers. Therefore, 
the network administrator must trust that the clock itself is reliable, valid, and secure. 
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Summary 


This topic summarizes the information you learned in this lesson. 


Summary 
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¢ The need for network security has increased as networks have 
become more complex and interconnected. 


¢ The following are the components of a complete 
security policy: 


— Statement of authority and scope 

— Acceptable use policy 

— Identification and authentication policy 
— Internet use policy 

— Campus access policy 

— Remote access policy 

— Incident handling procedure 


¢ The Security Wheel details the view that security is an ongoing 
process. 


¢ The Security Wheel includes four phases: secure, monitor, test, 
and improve. 
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¢ The following are the four types of security threats: 
— Structured 
— Unstructured 
— Internal 
— External 


* The following are common attack methods and techniques 
used by hackers: 


— Packet sniffers 

— IP weaknesses 

— Password attacks 
— DoS or DDoS 
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— Man-in-the-middle attacks 
— Application layer attacks 
— Trust exploitation 


— Port redirection 
—Virus 

— Trojan horse 

— Operator error 


* Management protocols can in themselves be a 
source of vulnerability 
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Networks and [PSec 
Technologies 


Overview 


This lesson teaches what Virtual Private Networks (VPNs) are, and explores fundamental IP 
security (IPSec) technologies. It includes the following topics: 


Objectives 

Cisco VPN products 
IPSec overview 

IPSec protocol framework 
How IPSec works 


Summary 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
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Upon completion of this lesson, you will be able to 
perform the following tasks: 


¢ Define the three VPN solutions. 


¢ Describe the three Cisco VPN product families and their 
related products. 


¢ Identify IPSec and other open standards supported by 
Cisco VPN products. 


¢ Identify the component technologies of IPSec. 
¢ Explain how IPSec works. 
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Cisco VPN Products 


Cisco products support the latest in Virtual Private Network (VPN) technology. A VPN is a 
service offering secure, reliable connectivity over a shared public network infrastructure such as 
the Internet. 


VPN Definition 
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Mobile 


Central site Remote 


site 


Internet 


VPN—An encrypted connection between private 
networks over a public network such as the 
Internet 
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A VPN is an encrypted connection between private networks over a public network such as the 
Internet. The V and N stand for virtual network. The information from a private network is 
securely transported over a public network, an Internet, to form a virtual network. The P stands 
for private. To remain private, the traffic is encrypted to keep the data confidential. A VPN is a 
private virtual network. 


There are three types of VPN networks: 
m Remote access 
m Site-to-site 


= Firewall-based 
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The first VPN solution is remote access. Remote access is targeted to mobile users and home 
telecommuters. In the past, corporations supported remote users via dial-in networks. This 
typically necessitated a toll or toll-free call to access the corporation. With the advent of VPNs, a 
mobile user can make a local call to their ISP to access the corporation via the Internet wherever 
they may be. It is an evolution of dial networks. Remote access VPN can support the needs of 
telecommuters, mobile users, extranet consumer-to-business, and so on. 
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Site-to-Site VPNs 
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The next VPN solution is site-to-site. VPN site-to-site can be used to connect corporate sites. In 
the past, a leased line or frame relay connection was required to connect sites, but now most 
corporations have Internet access. With Internet access, leased lines and frame relay lines can be 
replaced with site-to-site VPN. Use site-to-site VPN to provide the network connection. VPN can 
support company intranets and business partner extranets. Site-to-site VPN is an extension of 
classic Wide Area Network (WAN) network. 
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The last solution is firewall-based VPNs. Firewall-based VPN solutions are not a technical issue 
but a management issue. The question is who manages the VPN network. If corporate security 
manages the VPN network, a firewall-based VPN may be the VPN solution of choice. 
Corporations can enhance their existing firewall systems to support VPN services. 
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VPN Product Function Matrix and 
Positioning 
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The VPN product function matrix compares VPN networks and Cisco products. In the top row of 
the table there are the two VPN applications: remote access and site-to-site. In the left column of 
the table, there are three product lines: VPN-enabled routers, the Concentrator, and the PIX 
Firewall. If the primary role of the equipment is to perform as a site-to-site VPN with a few 
remote access connections, the VPN-enabled router is the primary product. On the other hand, if 
the primary role is to perform as a remote access VPN with a few site-to-site connections, 
Concentrator is the product of choice. If the network is owned by the security organization, the 
PIX Firewall is the primary VPN product. 


The following can be used as a reference for overall Cisco IP VPN positioning: 
m Dedicated VPN 

— 3000 for remote access 

— 7100/7200 
m VPN-enabled routers series 

— SOHO/800 

— 1700/2600 

— 3700/3600 


— 7200/7400/Cat6500 
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m Firewall VPN 


— PIX Firewall 5xx 
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Remote Access VPNs—Concentrator 
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The Cisco VPN 3000 Concentrator Series is a family of purpose-built, remote access VPN 
platforms and VPN Client software that incorporates high availability, high performance, and 
scalability with the most advanced encryption and authentication techniques available today. 
With the Cisco VPN 3000 Concentrator Series, customers can take advantage of the latest VPN 
technology to vastly reduce their communications expenditures. Unique to the industry, it is the 
only scalable platform to offer field-swappable and customer-upgradeable components. These 
components, called Scalable Encryption Processing (SEP) modules, enable companies to easily 
add capacity and throughput. 


With all versions of the Concentrator, the Cisco VPN Client is provided at no additional charge 
and includes unlimited distribution licensing. The Cisco VPN 3000 Concentrator Series is 
available in redundant or load-balancing configurations, enabling customers to build the most 
robust, reliable, and cost-effective VPNs possible. 


The Cisco VPN 3002 Hardware Client is a network appliance used to connect Small Office Home 
Office (SOHO) LANs to the VPN. The device comes in either a single port or eight-port switch 
version. The Hardware Client replaces traditional VPN Client applications on individual SOHO 
computers. 


All models in the Cisco VPN 3000 Concentrator Series support an easy-to-use management 
interface accessible via a web browser. 
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The Cisco VPN 3000 Concentrator Series includes models to support a range of enterprise 
customers, from small businesses with 100 or fewer remote access sessions to large organizations 
with up to 10,000 simultaneous remote sessions. The Cisco VPN 3000 Concentrator Series table 
can be used to determine which model is best for your environment. The top row lists the five 
models in the Cisco VPN 3000 Concentrator Series family. The left column lists some of the 
VPN characteristics. 
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The Concentrators can communicate with three IPSec clients: the Certicom IPSec client, the 
Cisco VPN Software Client, and the Hardware Client. The Certicom Client is a wireless client 
loaded on wireless PDAs such as the Palm operating system, HP Jornada, Compaq iPAQ, and so 
on. The Cisco VPN Software Client is loaded on an individual’s PC. The Hardware Client is a 
standalone client located in small offices and home offices. 
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Site-to-site VPNs provide cost benefits relative to private WANs and also enable new 
applications like extranets. However, site-to-site VPNs are still an end-to-end network and are 
subject to the same scalability, reliability, security, multi-protocol, and so on—requirements that 
exist in the private WAN. In fact, because VPNs are built on a public network infrastructure, they 
have additional requirements such as heightened security and advanced Quality of Service (QoS) 
capabilities, and a set of policy management tools to manage these additional features. 


Cisco provides a suite of VPN-optimized routers. Cisco IOS software running in Cisco routers 
combines rich VPN services with industry-leading routing, thus delivering a comprehensive 
solution. Cisco routing software adds scalability, reliability, multi-protocol, multi-service, 
management, Service Level Agreement monitoring, and QoS to site-to-site applications. The 
Cisco VPN software adds strong security via encryption and authentication. These Cisco VPN- 
enabled products provide high performance for site-to-site, intranet, and extranet VPN solutions. 
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Cisco provides a suite of VPN-optimized routers. These routers run the range of VPN 
applications from telecommuter applications with the Cisco 800 router; to small branch office, 
connectivity with Cisco 1700 router; to enterprise branch with Cisco 1760 router; to the large 
branch with Cisco 3600 and 3725 routers; and enterprise headquarters with the Cisco 3745 router. 
VPN-optimized routers provide VPN solutions for hybrid VPN environments where modularity, 
port density, and flexibility are required for private WAN aggregation and other classic WAN 
applications. 
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* Hardware accelerators deliver enhanced encryption performance 


You can use the table in the figure to determine which model is best for your small- to mid-sized 
environment. The table identifies router platforms, and their related hardware accelerator card and 
maximum throughput. Lab performance numbers are based on the following configuration: 
Triple-Data Encryption Standard (3DES) with Hashed Message Authentication Code (HMAC)- 
Security Hash Algorithm 1 (SHA-1), 100% CPU use, and no other services running, such as QoS, 
Network Address Translation (NAT), Generic Routing Encapsulation (GRE), and so on. Actual 
network performance varies, depending on the services running in each router. 


Hardware encryption accelerator cards provide high-performance, hardware-assisted encryption, 
and key generation suitable for VPN applications. Hardware encryption accelerators improve 
overall system performance by offloading encryption and decryption processing, thus freeing 
main system resources for other tasks, such as route processing, QoS, and other network services. 
In mid-sized routers, there are four modules available: 


m AIM-VPN/BP (Base Performance)—This advanced integration module (AIM) can be added 
to all Cisco 2600 routers 


m AIM-VPN/HP (High Performance)—High performance AIM for Cisco 3660 routers 


m= = NM-VPN/MP (Mid Performance)—This network module is supported on all Cisco 3620 and 
3640 routers 
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The Cisco VPN Router portfolio adds High-end VPN connectivity with Cisco 7100, 7200, 7400 
series routers, and the Cisco Catalyst 6500 IPSec Services module. VPN-optimized routers and 
Cisco Catalyst 6500 IPSec VPN Services module provide VPN solutions for large-scale hybrid 
VPN environments where modularity, high performance, and flexibility are required. 
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* Hardware accelerators deliver enhanced encryption performance 


You can use the table in the figure to determine which enterprise model is best for your 
environment. The table identifies router platforms, and their related hardware encryption 
accelerator card and maximum throughput. Lab performance numbers are based on the following 
configuration: 3DES with HMAC-SHA-1, 100% CPU use, and no other services running, such as 
QoS, NAT, GRE, and so on. Actual network performance varies depending on the services 
running in each router. 


Hardware encryption accelerator cards provide high-performance, hardware-assisted encryption, 
and key generation suitable for VPN applications. For the enterprise routers, there are three 
versions: 


m VPN Acceleration Module (VAM)—The VAM for Cisco 7200 and 7100 series routers 
provides high-performance, hardware-assisted encryption, and key generation. VAM also 
supports IP payload Lempel-Ziv Compression (LZS) compression services for VPN 
applications. There are two versions: VAM Service Adapter and VAM Service Module. 


m Integrated Service Module (ISM)—ISM uses a special slot created for offloading encryption 
and key generating services within the Cisco 7100 series routers (maximum of one ISM per 
Cisco 71XX series router). 


m Integrated Service Adapter (ISA)—ISA is a service adapter that inserts in any open port 
adapter slot in any Cisco 7200 router and can be used within the single port adapter of the 
Cisco 7140 router (up to one ISA per Cisco 7140 router or two per Cisco 7200 series routers, 
and not available on Cisco 7120 router). 


The Cisco IPSec VPN Services Module is a high-speed module for the Cisco Catalyst 6500 
Series Switch. Incorporating the latest in encryption hardware acceleration technology, the Cisco 
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IPSec VPN Services Module can deliver up to 1.9 Gbps of 3DES traffic and can terminate 8000 
IPSec tunnels. 
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The PIX Firewall is a key element in the overall Cisco end-to-end security solution. The PIX 
Firewall is a dedicated hardware and software security solution that delivers high security without 
impacting network performance. If security manages the VPN, the PIX Firewall may be the VPN 
solution of choice. Customers may wish to enhance their existing Firewall equipment to support 
VPN services. Firewall-based VPN solutions support intranet, extranet, and remote user 
applications. 
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The Cisco PIX Firewall 500 series provides products that cover the entire spectrum of VPN site- 
to-site applications. The chart in the figure contrasts cost versus functionality. The following 
models are available: 

m PIX Firewall 501—Supports up to 5 tunnels 

m PIX Firewall 506E—Supports up to 25 tunnels 

m PIX Firewall 515E—Supports up to 2,000 tunnels 


m PIX Firewall 525—Supports up to 2,000 tunnels 


m PIX Firewall 535—Supports up to 2,000 tunnels 


The Cisco PIX Firewall 500 series scales to meet a range of VPN requirements and network 
Sizes. 
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You can use the table in the figure to determine which PIX Firewall model is best for your VPN 
environment. The top row lists the five models in the PIX Firewall 500 series family. The left 
column lists some of the VPN and PIX Firewall characteristics. 


The VPN Accelerator Card (VAC) for the Cisco PIX Firewall series provides high-performance, 
tunneling, and encryption services suitable for site-to-site and remote access applications. This 
hardware-based VPN accelerator is optimized to handle repetitive but voluminous mathematical 
functions required for IPSec. Offloading encryption function to the card not only improves IPSec 
encryption processing, but also improves IPSec encryption processing. The VAC fits in a PCI slot 
inside the PIX Firewall chassis. The PIX Firewall is equipped with a VAC and supports as many 
as 2000 encrypted tunnels for concurrent sessions with mobile users or other sites. There is a limit 
of one VAC for each of the following PIX Firewall models: 515E, 525, and 535. 
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Cisco now provides the industry’s broadest VPN solution set. Cisco provides solutions from 
SOHO and small branch offices to the medium and large enterprise customers. Cisco provides 
solutions for remote access, site-to-site, and firewall-based VPN solutions. 


The top row of the table in the figure lists the three VPN solutions. The left column of the table 
lists the four customer types. You can use this table to determine which model is best for your 


environment. 


Copyright © 2005, Cisco Systems, Inc. Overview of Virtual Private Networks and IPSec Technologies 3-21 


VPN Interoperability 
Se Cisco.com 


Cisco VPN 


PIX Firewall Concentrator 
Client 


Required lOS : z 12.2(8)T 


release 


Required PIX 
Firewall release 


Required 
Concentrator release 


© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—3-21 


It is possible to interoperate between Cisco devices in a site-to-site environment. In a customer’s 
network, there may be a PIX Firewall at one site and a Cisco router at another. A VPN tunnel can 
be established between the PIX Firewall and router as long as the software is at the minimum 
required revision. The site-to-site VPN interoperability table in the figure provides IOS, PIX 
Firewall, and Concentrator software revision levels. 
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IPSec acts at the network layer, protecting and authenticating IP packets between participating 
IPSec devices (peers). IPSec is not bound to any specific encryption or authentication algorithms, 
keying technology, or security algorithms. IPSec is a framework of open standards. By not 
binding IPSec to specific algorithms, IPSec allows for newer and better algorithms to be 
implemented without patching the existing IPSec standards. IPSec provides data confidentiality, 
data integrity, and origin authentication between participating peers at the IP layer. IPSec is used 
to secure a path between a pair of gateways, a pair of hosts, or a gateway and host. 
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IPSec security services provides four critical functions: 


m= Confidentiality (encryption)—The sender can encrypt the packets before transmitting them 
across a network. By doing so, no one can eavesdrop on the communication. If intercepted, 
the communications cannot be read. 


m= Data integrity—The receiver can verify that the data was transmitted through the Internet 
without being changed or altered in any way. 


m Origin authentication—The receiver can authenticate the source of the packet, guaranteeing 
and certifying the source of the information. 


= Anti-replay protection—Anti-replay protection verifies that each packet is unique, not 
duplicated. IPSec packets are protected by comparing the sequence number of the received 
packets and a sliding window on the destination host, or security gateway. Packets whose 
sequence number is before the sliding window is considered late, or a duplicate. Late and 
duplicate packets are dropped. 
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The good news is that the Internet is a public network. The bad news is that the Internet is a 
public network. Clear text data transported over the public Internet can be intercepted and read. In 
order to keep the data private, the data can be encrypted. By digitally scrambling, the data is 
rendered unreadable. 
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For encryption to work, both the sender and receiver need to know the rules used to transform the 
original message into its coded form. Rules are based on an algorithm and a key. An algorithm is 
a mathematical function, which combines a message, text, digits, or all three with a string of 
digits called a key. The output is an unreadable cipher string. Decryption is extremely difficult or 
impossible without the correct key. 


In the example in the figure, someone wants to send a financial document across the Internet. At 
the local end, the document is combined with a key and run through an encryption algorithm. The 
output is undecipherable cyber text. The cyber text is then sent through the Internet. At the 
remote end, the message is recombined with a key and sent back through the encryption 
algorithm. The output is the original financial document. 


There are two types of encryption keys: 


m= Symmetric—With symmetric key encryption, each peer uses the same key to encrypt and 
decrypt the data. 


m= Asymmetric—With asymmetric key encryption, the local end uses one key to encrypt, and 
the remote end uses another key to decrypt the traffic. 
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DES, 3DES, AES, HMAC-Message Digest 5 (MDS5), and HMAC-SHA require a symmetric 
shared secret key to perform encryption and decryption. The question is how does the encrypting 
and decrypting devices get the shared secret key? The keys can be sent by e-mail, courier, 
overnight express, or public key exchange. The easiest method is Diffie-Hellman (DH) public key 
exchange. The DH key agreement is a public key exchange method that provides a way for two 
peers to establish a shared secret key, which only they know, although they are communicating 
over an insecure channel. 


Public key cryptosystems rely on a two-key system: a public key, which is exchanged between 
end-users, and a private key, which is kept secret by the original owners. DH public key 
algorithm states that if user A and user B exchange public keys and a calculation is performed on 
their individual private key and one another’s public key, the end result of the process is an 
identical shared key. The shared key is used to derive encryption and authentication keys. DH 
key exchange is covered in more depth later in this lesson. 


There are variations of the DH key exchange algorithm, known as DH group | through 7. DH 
groups |, 2, and 5 support exponentiation over a prime modulus with a key size of 768,1024, and 
1536 respectively. Cisco VPN Clients support DH groups 1, 2, and 5. DES and 3DES encryption 
supports DH groups | and 2. AES encryption supports DH groups 2 and 5. The Certicom wireless 
VPN Client supports group 7. Group 7 supports elliptical curve cryptography that reduces the 
time needed to generate keys. During tunnel setup, VPN peers negotiate which DH group to use. 


Security is not an issue with the DH key exchange. Although someone may know a user’s public 
key, the shared secret cannot be generated because the private key never becomes public. 
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The DH key exchange is a public key exchange method that provides a way for two IPSec peers 
to establish a shared secret key that only they know, although they are communicating over an 


insecure channel. 


With DH, each peer generates a public and private key pair. The private key generated by each 
peer is kept secret and never shared. The public key is calculated from the private key by each 
peer and is exchanged over the insecure channel. Each peer combines the other’s public key with 
its own private key, and computes the same shared secret number. The shared secret number is 
then converted into a shared secret key. The shared secret key is never exchanged over the 


insecure channel. 
Complete the following steps to implement the Diffie-Hellman process: 


The DH process starts with each peer generating a large prime integer, p and q. Each peer sends 
the other its prime integer over the insecure channel. For example, Peer A sends p to Peer B. Each 


Each peer generates a public DH key. The local private key is combined with the prime number p 
and the primitive root g in each peer to generate a public key, Ya for peer A and YA for peer B. 
The formula for peer A is Ya =g*Xa mod p. The formula for peer B is Yb =g*Xb mod p. The 
exponentiation is computationally expensive. The * character denotes exponentiation (g to the Xa 


Step 1 

peer then uses the p and q values to generate g, a primitive root of p. 
Step 2 Each peer generates a private DH key (peer A: Xa, peer B: Xb). 
Step 3 

power); mod denotes modulus. 
Step 4 The public keys Ya and Yb are exchanged in public. 
Step 5 
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Each peer generates a shared secret number (ZZ) by combining the public key received from the 
opposite peer with its own private key. The formula for peer A is ZZ=(Y,X, ) mod p. The formula 
for peer B is ZZ=(Y,X, ) mod p. The ZZ values are identical in each peer. Anyone who knows p 
or g, or the DH public keys, cannot guess or easily calculate the shared secret value—largely 
because of the difficulty in factoring large prime numbers. 
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Shared secret number ZZ is used in the derivation of the encryption and authentication 
symmetrical keys. 
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The degree of security depends on the length of the key. If someone tries to hack the key through 
a brute force attack, guessing every possible combination, the number of possibilities is a 
function of the length of the key. The time to process all the possibilities is a function of the 
computing power of the computer. Therefore, the shorter the key, the easier it is to break. 


Some of the encryption algorithms are as follows: 


m DES algorithm—DES was developed by IBM. DES uses a 56-bit key, ensuring high 
performance encryption. DES is a symmetric key cryptosystem. 


m 3DES algorithm—tThe 3DES algorithm is a variant of the 56-bit DES. 3DES operates 
similarly to DES, in that data is broken into 64-bit blocks. 3DES then processes each block 
three times, each time with an independent 56-bit key. 3DES effectively doubles encryption 
strength over 56-bit DES. DES is a symmetric key cryptosystem. 


m Advanced Encryption Standard (AES)—The National Institute of Standards and Technology 
(NIST) has recently adopted a new Advanced Encryption Standard to replace existing DES 
encryption in cryptographic devices. AES provides stronger security than DES and 
computationally more efficient than 3DES. AES offers three different key strengths: 128, 
192, and 256-bit keys. 


m RSA—RSA is an asymmetrical key cryptosystem. It uses a key length of 512, 768, 1024, or 
larger. IPSec does not use RSA for data encryption. Internet Key Exchange (IKE) only uses 
RSA encryption during the peer authentication phase. 


Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


RSA Encryption 


Cisco.com 
Remote 


Remote’s [4 
public key = 


Pay to Terry Smith $100.00 Pay to Terry Smith $100.00 


One Hundred and xx/100 Dollars One Hundred and xx/100 Dollars 


© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—3-30 


Rivet, Shamir, and Adelman (RSA) is an encryption technique that is used for digital signatures. 
RSA encryption uses asymmetric keys for encryption and decryption. Each end, local and remote, 
generates two encryption keys: a private and public key. They keep their private key and 
exchange their public key with people they wish to communicate. 


To send an encrypted message to the remote end, the local end encrypts the message using the 
remote’s public key and the RSA encryption algorithm. The result is an unreadable cyber text. 
This message is sent through the Internet. At the remote end, the remote end uses its private key 
and the RSA algorithm to decrypt the cyber text. The result is the original message. The only one 
who can decrypt the message is the destination that owns the private key. 


With RSA encryption, the opposite also holds true. The remote end can encrypt a message using 
its own private key. The receiver can decrypt the message using the sender’s public key. 
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The next VPN-critical function is data integrity. VPN data is transported over the public Internet. 
Potentially, this data could be intercepted and modified. To guard against this, each message has 
a hash attached to the message. A hash guarantees the integrity of the original message. If the 
transmitted hash matches the received hash, the message has not been tampered with. However, if 
there is no match, the message was altered. 


In the example in the figure, someone is trying to send Terry Smith a check for $100. At the 
remote end, Alex Jones is trying to cash the check for $1000. As the check progressed through 
the Internet, it was altered. Both the recipient and dollar amounts were changed. In this case, the 
hashes did not match. The transaction is no longer valid. 
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Hashed Message Authentication Codes (HMAC) guarantees the integrity of the message. At the 
local end, the message and a shared secret key are sent through a hash algorithm, which produces 
a hash value. The message and hash are sent over the network. 


At the remote end, there is a two-step process. First, the received message and shared secret key 
are sent through the hash algorithm, resulting in a re-calculated hash value. Second, the receiver 
compares the re-calculated hash with the hash that was attached to the message. If the original 
hash and re-calculated hash match, the integrity of the message is guaranteed. If any of the 
original message is changed while in transit, the hash values are different. 


Basically, a hash algorithm is a formula used to convert a variable length message into a single 
string of digits of a fixed length. It is a one-way algorithm. A message can produce a hash, but a 
hash cannot produce the original message. It is analogous to dropping a plate on the floor. The 
plate can produce a multitude of pieces, but the pieces cannot be recombined to reproduce the 
plate in its original form. 
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There are two common Hashed Message Authentication Codes (HMAC) algorithms: 


m HMAC-MD5—Uses a 128-bit shared secret key. The variable length message and 128-bit 
shared secret key are combined and run through the HMAC-MDS hash algorithm. The output 
is a 128-bit hash. The hash is appended to the original message and forwarded to the remote 
end. 


m HMAC-SHA-1—HMAC-SHA-1 uses a 160-bit secret key. The variable length message and 
the 160-bit shared secret key are combined and run through the HMAC-SHA-1 hash 
algorithm. The output is a 160-bit hash. The hash is appended to the original message and 
forwarded to the remote end. 


HMAC-SHA-1 is considered cryptographically stronger than HMAC-MD5. HMAC-SHA-1 is 
recommended when the security of HMAC-SHA-1 over HMAC-MDS is important. 
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The last critical function is origin authentication. In the middle ages, a seal guaranteed the 
authenticity of an edict. In modern times, a signed document is notarized with a seal and a 


signature. In the electronic era, a document is signed using the sender’s private encryption key—a 
digital signature. A signature is authenticated by decrypting the signature with the sender’s public 


key. 


In the example in the figure, the local device derives a hash and encrypts it with its private key. 
The encrypted hash—digital signature—is attached to the message and forwarded to the remote 
end. At the remote end, the encrypted hash is decrypted using the local end’s public key. If the 
decrypted hash matches the re-computed hash, the signature is genuine. A digital signature ties a 


message to a sender. The sender is authenticated. It is used during the initial establishment of a 
VPN tunnel to authenticate both ends to the tunnel. 


There are two common digital signature algorithms: RSA and Directory System Agent (DSA). 
RSA is used commercially and is the most common. DSA is used by U.S. Government agencies 


and is not as common. 
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Peer authentication methods: 
¢ Pre-shared keys 

¢ RSA signatures 

¢ RSA encrypted nonces 


When conducting business long distance, it is necessary to know who is at the other end of the 
phone, e-mail, or fax. The same is true of VPN networking. The device on the other end of the 
VPN tunnel must be authenticated before the communication path is considered secure. There are 
three peer authentication methods: 


m Pre-shared keys—A secret key value entered into each peer manually used to authenticate the 
peer. 


m RSA signatures—Uses the exchange of digital certificates to authenticate the peers. 
m RSA encrypted nonces—Nonces (a random number generated by each peer) are encrypted 


then exchanged between peers. The two nonces are used during the peer authentication 
process. 
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With pre-shared keys, the same pre-shared key is configured on each IPSec peer. At each end, the 
pre-shared key is combined with other information to form the authentication key. Starting at the 
local end, the authentication key and the identity information (device-specific information) are 
sent through a hash algorithm to form hash_I. The local IKE peer provides one-way 
authentication by sending hash_I to the remote peer. If the remote peer is able to independently 
create the same hash, the local peer is authenticated (shown above). 


The authentication process continues in the opposite direction. The remote peer combines its 
identity information with the pre-shared-based authentication key and sends them through a hash 
algorithm to form hash_R. Hash_R is sent to the local peer. If the local peer is able to 
independently create the same hash from its stored information and pre-shared-based 
authentication key, the remote peer is authenticated. Each peer must authenticate its opposite peer 
before the tunnel is considered secure.Pre-shared keys are easy to configure manually, but do not 
scale well. Each IPSec peer must be configured with the pre-shared key of every other peer with 
which it communicates. 
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With Rivest, Shamir, and Adleman (RSA) signatures, hash_I and hash_R are not only 
authenticated, but are also digitally signed. Starting at the local end, the authentication key and 
identity information (device-specific information) are sent through a hash algorithm to form 
hash_I. The hash_I is then encrypted using the local peer’s private encryption key. The result is a 
digital signature. The digital signature and a digital certificate are forwarded to the remote peer. 
(The public encryption key for decrypting the signature is included in the digital certificate 
exchanged between peers.) 


At the remote peer, local peer authentication is a two-step process. First, the remote peer verifies 
the digital signature by decrypting it using the public encryption key enclosed in the digital 
certificate. The result is hash_I. Next, the remote peer independently creates hash_I from stored 
information. If the calculated hash_I equals the decrypted hash_I, the local peer is authenticated 
(shown in the figure). Digital signatures and certificates are discussed in more detail later in the 
digital certificate lesson. 


After the remote peer authenticates the local peer, the authentication process begins in the 
opposite direction. The remote peer combines its identity information with the authentication key 
and sends them through a hash algorithm to form hash_R. Hash_R is encrypted using the remote 
peer’s private encryption key, a digital signature. The digital signature and certificate are sent to 
the local peer. The local peer performs two tasks: it creates the hash_R from stored information, 
and it decrypts the digital signature. If the calculated hash_R and the decrypted hash_R match, 
the remote peer is authenticated. Each peer must authenticate its opposite peer before the tunnel is 
considered secure. 


Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


RSA Encrypted Nonces 
ae Cisco.com 


Local Remote 


autor | 


Information 
+I1D 
Information 
Hash 


Hash 


Authenticating hash 
(Hash_]l) 


Computed 
hash 
(Hash_]) 


Received 
hash 
(Hash_]) 


© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—3-38 


Rivest, Shamir, and Adleman (RSA) encrypted nonces require that each party generate a nonce— 
a pseudorandom number. The nonces are then encrypted and exchanged. Upon receipt of the 
nonce, each end formulates an authentication key made up of the initiator and responder nonces, 
the DH key, and the initiator and responder cookies. The nonce-based authentication key is 
combined with device-specific information and run through a hash algorithm. Where the output 
becomes hash_I. The local IKE peer provides one-way authentication by sending hash_I to the 
remote peer. If the remote peer is able to independently create the same hash from stored 
information and its nonce-based authentication key, the local peer is authenticated (shown 
above). 


After the remote end authenticates the local peer, authentication process begins in the opposite 
direction. The remote peer combines its identity information with the nonce-based authentication 
key and sends them through a hash algorithm to form hash_R. Hash_R is sent to the local peer. If 
the local peer is able to independently create the same hash from stored information and the 
nonce-based key, the remote peer is authenticated. Each peer must authenticate its opposite peer 
before the tunnel is considered to be secure. 
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The last topic discussed encryption, authentication, and integrity. This topic explains how 
encryption, integrity, and authentication are applied to the IPSec protocol suite. 
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IPSec is a framework of open standards. IPSec spells out the messaging to secure the 
communications but relies on existing algorithms, such as DES and 3DES, to implement the 
encryption and authentication. The two main IPSec framework protocols are as follows: 


m Authentication Header (AH)—AH is the appropriate protocol when confidentiality is not 
required or permitted. It provides data authentication and integrity for IP packets passed 
between two systems. It is a means of verifying that any message passed from Router A to B 
has not been modified during transit. It verifies that the origin of the data was either Router A 
or B. AH does not provide data confidentiality (encryption) of packets. All text is transported 
in the clear. 


m Encapsulating Security Payload (ESP)—A security protocol may be used to provide 
confidentiality (encryption) and authentication. ESP provides confidentiality by performing 
encryption at the IP packet layer. IP packet encryption conceals the data payload and the 
identities of the ultimate source and destination. ESP provides authentication for the inner IP 
packet and ESP header. Authentication provides data origin authentication, and data integrity. 
Although both encryption and authentication are optional in ESP, at a minimum, one of them 
must be selected. 
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Authentication is achieved by applying a keyed one-way hash function to the packet to create a 
hash or message digest. The hash is combined with the text and transmitted. Changes in any part 
of the packet that occur during transit are detected by the receiver when it performs the same one- 
way hash function on the received packet, and compares the value of the message digest that the 
sender has supplied. The fact that the one-way hash also involves the use of a symmetric key 
between the two systems means that authenticity is guaranteed. 
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The Authentication Header (AH) function is applied to the entire datagram, except for any 
mutable IP header fields that change in transit (for example, Time To Live [TTL] fields that are 
modified by the routers along the transmission path). AH supports two algorithms: 


m HMAC-MD5 


m= HMAC-SHA-1 
AH works as follows: 


The IP header and data payload is hashed. 

The hash is used to build an AH header, which is appended to the original packet. 
The new packet is transmitted to the IPSec peer. 

The peer hashes the IP header and data payload. 

The peer extracts the transmitted hash from the AH header. 


The peer compares the two hashes. The hashes must exactly match. Even if one bit is changed in 
the transmitted packet, the hash output on the received packet will change and the AH header will 
not match. 
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Encapsulating Security Payload (ESP) provides confidentiality by encrypting the payload. It 
supports a variety of symmetric encryption algorithms. The default algorithm for IPSec is 56-bit 
DES. Cisco products also support the use of 3DES for stronger encryption. 


ESP can be used alone or in combination with AH. ESP with AH also provides integrity, and 
authentication of the data grams. First, the payload is encrypted. Next, the encrypted payload is 
sent through a hash algorithm: HMAC-MD5 or HMAC-SHA-1. The hash provides origin 
authentication and data integrity for the data payload. 


Alternatively, ESP may also enforce anti-replay protection by requiring that a receiving host set 
the replay bit in the header to indicate that the packet has been seen. 
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Between two security gateways, the original payload is well protected because the entire original 
IP data gram is encrypted. An Encapsulating Security Payload (ESP) header and trailer are added 
to the encrypted payload. With ESP authentication, the encrypted IP data gram and the ESP 
header or trailer are included in the hashing process. Last, a new IP header is appended to the 
front of the authenticated payload. The new IP address is used to route the packet through the 
Internet. 


When both ESP authentication and encryption are selected, encryption is performed first before 
authentication. One reason for this order of processing is that it facilitates rapid detection and 
rejection of replayed or bogus packets by the receiving node. Prior to decrypting the packet, the 
receiver can authenticate inbound packets. By doing this, it can detect the problems and 
potentially reduce the impact of denial of service (DoS) attacks. 
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ESP and AH can be applied to IP packets in two different ways, which are referred to as modes: 


m= Transport mode—Transport mode protects the payload of the packet, higher layer protocols, 
but leaves the original IP address in the clear. The original IP address is used to route the 
packet through the Internet. ESP transport mode is used between two hosts, when the final 
destination is the host itself. Transport mode provides security to the higher layer protocols 
only. 


m Tunnel mode—ESP tunnel mode is used when either end of the tunnel is a security gateway, 
a Concentrator, a VPN optimized router, or a PIX Firewall. Tunnel mode is used when the 
final destination is not a host, but a VPN gateway. The security gateway encrypts and 
authenticates the original IP packet. Next, a new IP header is appended to the front of the 
encrypted packet. The outside, new, IP address is used to route the packet through the 
Internet to the remote end security gateway. Tunnel mode provides security for the whole 
original IP packet. 
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ESP tunnel mode is used between a host and a security gateway or between two security 
gateways. For gateway-to-gateway applications, rather than load IPSec on all the computers at the 
remote and corporate offices, it is easier to have the security gateways perform the IP-in-IP 
encryption and encapsulation. 


In the IPSec remote access application, ESP tunnel mode is used. At a home office, there may be 
no router to perform the IPSec encapsulation and encryption. In the example in the figure, the 
IPSec client running on the PC performs the IPSec IP-in-IP encapsulation and encryption. At the 
corporate office, the router de-encapsulates and decrypts the packet. 
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IPSec is a framework of open standards. IPSec spells out the rules for secure communications. 
IPSec, in turn, relies on existing algorithms to implement the encryption, authentication, and key 
exchange. Some of the standard algorithms are as follows: 


m DES algorithm—DES is used to encrypt and decrypt packet data 
m 3DES algorithm—Effectively doubles encryption strength over 56-bit DES 


m AES algorithm—Faster throughput with even stronger encryption (depends on key length 
chosen) 


= Message Digest 5 (MDS) algorithm—Used to authenticate packet data 
m Secure Hash Algorithm-1 (SHA) algorithm—Authenticates packet data 


m= DH—A public-key cryptography protocol that allows two parties to establish a shared secret 
key used by encryption and hash algorithms (for example, DES and MDS) over an insecure 
communications channel 


In the example in the figure, there are four IPSec framework squares to be filled. When 
configuring security services to be provided by an IPSec gateway, first, an IPSec protocol must 
be chosen. The choices are ESP or ESP with AH. The second square is an encryption algorithm. 
Choose the encryption algorithm appropriate for the level of security desired: DES or 3DES. The 
third square is Authentication. Choose an authentication algorithm to provide data integrity: MD5 
or SHA. The last square is the DH algorithm group. Choose which group to use: DH1 or DH2. 
IPSec provides the framework, and the administrator chooses the algorithms used to implement 
the security services within that framework. 
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This topic details the individual steps of IPSec. 


Five Steps of IPSec 


Cisco.com 
Host A Host B 


im ) Router A Router B | - 


¢ Interesting Traffic—The VPN devices recognize the traffic 
to protect. 


¢ IKE Phase 1—The VPN devices negotiate an IKE security 
policy and establish a secure channel. 


e IKE Phase 2—The VPN devices negotiate an IPSec 
security policy used to protect IPSec data. 


¢ Data transfer—The VPN devices apply security services 
to traffic and then transmit the traffic. 


¢ Tunnel terminated—The tunnel is torn down. 


The goal of IPSec is to protect the desired data with the needed security services. IPSec’s 
operation can be broken down into five primary steps: 


Interesting traffic—tTraffic is deemed interesting when the VPN device recognizes that the traffic 
you want to send needs to be protected. 


IKE Phase 1—Between peers, a basic set of security services are negotiated and agreed upon. 
This basic set of security services protects all subsequent communications between the peers. 


IKE Phase 2—IKE negotiates IPSec Security Associations (SAs) parameters and sets up matching 
IPSec SAs in the peers. These security parameters are used to protect data and messages 
exchanged between endpoints. The final result of IKE phase | and 2 is a secure communications 
channel between peers. 


Data transfer—Data is transferred between IPSec peers based on the IPSec parameters and keys 
stored in the SA database. 


IPSec tunnel termination—IPSec SAs terminate through deletion or by timing out. 
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Determining what traffic needs to be protected is done as part of formulating a security policy for 
use of a VPN. The policy is used to determine what traffic needs to be protected and what traffic 
can be sent in the clear. For every inbound and outbound data gram, there are three choices: apply 
IPSec, bypass IPSec, or discard the data gram. For every data gram protected by IPSec, the 
system administrator must specify the security services applied to the data gram. The security 
policy database specifies the IPSec protocols, modes, and algorithms applied to the traffic. The 
services are then applied to traffic destined to each particular IPSec peer. With the VPN Client, 
you use menu windows to select connections that you want secured by IPSec. When interesting 
traffic transits the IPSec client, the client initiates the next step in the process: negotiating an IKE 
Phase | exchange. 
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The basic purpose of Internet Key Exchange (IKE) Phase | is to negotiate IKE policy sets, 
authenticate the peers, and set up a secure channel between the peers. IKE Phase | occurs in two 
modes: main mode and aggressive mode. 


Main mode has three two-way exchanges between the initiator and receiver: 


m First exchange—The algorithms and hashes used to secure the IKE communications are 
negotiated. 


m Second exchange—Uses a DH exchange to generate shared secret keys. 


m Third exchange—Verifies the other side’s identity. 


In the aggressive mode, fewer exchanges are done and with fewer packets. On the first exchange, 
almost everything is squeezed in: the IKE policy set negotiation; the DH public key generation; a 
nonce, which the other party signs; and an identity packet, which can be used to verify their 
identity via a third party. The receiver sends everything back that is needed to complete the 
exchange. The only thing left is for the initiator to confirm the exchange. While aggressive mode 
is faster, it does not provide identity protection and is therefore not recommended. 
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There are two exchanges: IKE policy sets and establishing a shared secret. 


First Exchange 


During the first exchange the algorithms and hashes used to secure the IKE communications are 
negotiated and agreed upon between peers. When trying to make a secure connection between 
Host A and B through the Internet, Internet Key Exchange (IKE) security proposals are 
exchanged between Router A and B. The proposals identify the IPSec protocol being negotiated 
(for example, ESP). Under each proposal, the originator must delineate which algorithms are 
employed in the proposal (for example, DES with MDS). Rather than negotiate each algorithm 
individually, the algorithms are grouped into sets, an IKE policy set. A policy set delineates 
which encryption algorithm, authentication algorithm, mode, and key length are proposed. These 
IKE proposals and policy sets are exchanged during the IKE main mode first exchange phase. If a 
policy set match is found between peers, the main mode continues. If no match is found, the 
tunnel is torn down. 


In the example in the figure, Router A sends IKE policy sets 10 and 20 to Router B. Router B 
compares its set, policy set 15, with those received from Router A. In this instance, there is a 
match: Router A’s policy set 10 matches Router B’s policy set 15. 


In a point-to-point application, each end may only need a single IKE policy set defined. However, 
in a hub and spoke environment, the central site may require multiple IKE policy sets to satisfy 
all the remote peers. 


Second Exchange 


Uses a DH exchange to generate shared secret keys and pass nonces, which are random numbers 
sent to the other party, signed, and returned to prove their identity. The shared secret key is used 
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to generate all the other encryption and authentication keys. When this step is completed, the 
peers have a common shared secret but the peers are not authenticated. This leads to the last step 
of IKE Phase 1, authenticating the peer’s identity. 
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The third and last exchange is used to authenticate the remote peer. The primary outcome of main 
mode is a secure communication path for subsequent exchanges between the peers. Without 
proper authentication, it is possible to establish a secure communication channel with a hacker 
who is now stealing all your sensitive material. There are three data origin authentication 
methods: 


m Pre-shared keys—A secret key value entered into each peer manually used to authenticate the 
peer. 


m RSA signatures—Uses the exchange of digital certificates to authenticate the peers. 
m RSA encrypted nonces—Nonces (a random number generated by each peer) are encrypted 


and then exchanged between peers. The two nonces are used during peer authentication 
process. 
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The purpose of Internet Key Exchange (IKE) Phase 2 is to negotiate the IPSec security 
parameters used to secure the IPSec tunnel. IKE Phase 2 performs the following functions: 


m Negotiates IPSec security parameters, IPSec transform sets 
m Establishes IPSec SAs 
m™ Periodically renegotiates IPSec SAs to ensure security 


m Optionally performs an additional DH exchange 


IKE Phase 2 has one mode, called Quick mode. Quick mode occurs after IKE has established the 
secure tunnel in Phase 1. It negotiates a shared IPSec transform, derives shared secret keying 
material used for the IPSec security algorithms, and establishes IPSec SAs. Quick mode 
exchanges nonces that are used to generate new shared secret key material and prevent replay 
attacks from generating bogus SAs. 


Quick mode is also used to renegotiate a new IPSec SA when the IPSec SA lifetime expires. 
Quick mode is used to refresh the keying material used to create the shared secret key based on 
the keying material derived from the DH exchange in Phase 1. 
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The ultimate goal of IKE Phase 2 is to establish a secure IPSec session between endpoints. Before 
that can happen, each pair of endpoints negotiates the level of security required (for example, 
encryption and authentication algorithms for the session). Rather than negotiate each protocol 
individually, the protocols are grouped into sets, an IPSec transform set. IPSec transform sets are 
exchanged between peers during Quick mode. If a match is found between sets, IPSec session- 
establishment continues. If no match is found, the session is torn down. 


In the example in the figure, Router A sends IPSec transform set 30 and 40 to Router B. Router B 
compares its set, transform set 55, with those received from Router A. In this instance, there is a 
match. Router A’s transform set 30 matches Router B’s transform set 55. These encryption and 
authentication algorithms form an SA. 
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Do BANK) 
ooooooooooou0u0; Security Policy Db 
OOOO py Ooooo 
goooo dogo 


* Encryption Algorithm 
192.168.2.1 * Authentication Algorithm 
SPI-12 ° Mode 
ESP/3DES/SHA 
tunnel ° Key lifetime 
28800 ig = SA Db 
a 3 * Destination IP address 


° SPI 
* Protocol (ESP or AH) 


When the security services are agreed upon between peers, each VPN peer device enters the 
information in a Security Policy Database (SPD). The information includes the encryption and 
authentication algorithm, destination IP address, transport mode, key lifetime, and so on. This 
information is referred to as the SA. An SA is a one-way logical connection that provides security 
to all traffic traversing the connection. Because most traffic is bi-directional, two SAs are 
required: one for inbound and one for outbound traffic. The VPN device indexes the SA with a 
number, a Security Parameter Index (SPI). Rather than send the individual parameters of the SA 
across the tunnel, the source gateway, or host, inserts the SPI into the ESP header. When the 
IPSec peer receives the packet, it looks up the destination IP address, IPSec protocol, and SPI in 
its SA database (SAD), and then processes the packet according to the algorithms listed under the 
SPD. 


The IPSec SA is a compilation of the SAD and SPD. SAD is used to identify the SA destination 
IP address, IPSec protocol, and SPI number. The SPD defines the security services applied to the 
SA, encryption and authentication algorithms, and mode and key lifetime. For example, in the 
corporate-to-bank connection, the security policy provides a very secure tunnel using 3DES, 
SHA, tunnel mode, and a key lifetime of 28800. The SAD value is 192.168.2.1, ESP, and SPI-12. 
For the remote user accessing e-mails, a less secure policy is negotiated using DES, MD5, tunnel 
mode, and a key lifetime of 28800. The SAD values are a destination IP address of 192.169.12.1, 
ESP, and an SPI-39. 
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SA Lifetime 
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Data-based Time-based 
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Like passwords on your company PC, the longer you keep it, the more vulnerable it becomes. 
The same thing is true of keys and SAs. For good security, the SA and keys should be changed 
periodically. There are two parameters: lifetime type and duration. The first parameter is lifetime 
type. How is the lifetime measured? Is it measured by the number of bytes transmitted or the 
amount of time transpired? The second parameter is the unit of measure: kilobytes of data or 
seconds of time. Some examples are as follows: lifetime based on 10,000 kilobytes of data 
transmitted or 28800 seconds of time expired. The keys and SAs remain active until their lifetime 
expires or until some external event—the client drops the tunnel—causes them to be deleted. 
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Step 4—IPSec Session 
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Host A Host B 


Router A Router B = 


¢ SAs are exchanged between peers. 


¢ The negotiated security services are applied to 
the traffic. 
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After IKE Phase 2 is complete and Quick mode has established IPSec SAs, traffic is exchanged 
between Host A and B via a secure tunnel. Interesting traffic is encrypted and decrypted 
according to the security services specified in the IPSec SA. 
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Step 5—Tunnel Termination 


Cisco.com 


Host A Host B 


im ! Router A Router B | m| 


¢ Atunnel is terminated 
— By an SA lifetime timeout 


— If the packet counter is 
exceeded 


« Removes IPSec SA 


IPSec SAs terminate through deletion or by timing out. An SA can time out when a specified 
number of seconds has elapsed or when a specified number of bytes has passed through the 
tunnel. When the SAs terminate, the keys are also discarded. When subsequent IPSec SAs are 
needed for a flow, IKE performs a new Phase 2, and, if necessary, a new Phase | negotiation. A 
successful negotiation results in new SAs and new keys. New SAs are usually established before 
the existing SAs expire, so that a given flow can continue uninterrupted. 
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Summary 


This topic summarizes what you learned in this lesson. 


Summary 
a | Cisco.com 


Cisco VPN components include Cisco VPN 3000 Series 
Concentrators, Cisco VPN routers, the PIX Firewall, and 
the Cisco VPN Client. 


Cisco supports the following IPSec standards: AH, ESP, 


DES, 3DES, AES, MD5, SHA, RSA signatures, IKE (also 
known as ISAKMP), DH, and CAs. 


There are five steps to IPSec: interesting traffic, IKE 
phase 1, IKE phase 2, IPSec encrypted traffic, and tunnel 
termination. 


IPSec SAs consist of a destination address, SPI, IPSec 
transform, mode, and SA lifetime value. 
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Cisco Virtual Private Network 
3000 Concentrator Series 
Hardware Overview 


Overview 


This lesson includes the following topics: 


m Objectives 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
a ee, Cisco.com 


Upon completion of this lesson, you will be 
able to perform the following tasks: 


° Describe the Cisco VPN 3000 Concentrator 


Series. 


° Identify the Cisco VPN 3000 Concentrator Series 
models. 


¢ Describe the Cisco VPN 3000 Concentrator 
Series features and functions. 


This lesson presents an overview of the Cisco Virtual Private Network (VPN) 3000 
Concentrator Series. It describes the Cisco VPN 3000 Concentrator Series models, and details 
the major features and functions of the hardware. 
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Overview 


This topic presents an overview of the Cisco VPN 3000 Concentrator Series. 


Cisco VPN Concentrator Series 
ee Cisco.com 


VPN 3030 
regional office 


VPN 3060 or 3080 
central site 


N 


VPN 3005 or 3015 a > 
branch office ( Internet 


— 


VPN 3030 
regional office 
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The Cisco VPN 3000 Concentrator Series consists of the following models: 
m 3005 and 3015 
— Appropriate for a small branch office 
— Supports up to 100 simultaneous sessions 
m 3030 
— Appropriate for a regional office 
— Supports up to 1,500 simultaneous sessions 
m 3060 
— Appropriate for a large central site 
— Supports up to 5,000 simultaneous sessions 


m 3080 
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— Appropriate for a large central site or ISP 


— Supports up to 10,000 simultaneous sessions 
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Product Hardware Portfolio 
ae Cisco.com 


Cisco VPN 3000 Concentrator Series 


3080 The goal is to 


provide products 
that cover the 

entire spectrum 

of customer VPN 
applications, 

making Cisco the 
only choice for CPE 
and service providers 
of all sizes. 


Branch Regional Central site 


The Cisco VPN 3000 Concentrator Series provides products that cover the entire spectrum of 
customer VPN applications. The following models are available: 


m 3005 
— Supports software encryption 
— Supports up to 100 simultaneous sessions 
— Not upgradeable 

m 3015 
— Supports software encryption 
— Supports up to 100 simultaneous sessions 
— Upgradeable 

m 3030 


— Supports one Scalable Encryption Processor/SEP-Enhanced (SEP/SEP-E) hardware 
module 


— Supports up to 1,500 simultaneous sessions 


— Upgradeable 
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m 3060 
— Supports two SEP/SEP-E hardware modules 
— Supports up to 5,000 simultaneous sessions 
— Upgradeable 

m 3080 
— Supports two SEP/SEP-E hardware modules 
— Supports up to 10,000 simultaneous sessions 


— Not upgradeable 
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Models 


This topic presents an overview of the Cisco VPN 3000 Concentrator Series models. 


Cisco VPN 3005 Concentrator 


| Cisco.com 


CIBDO VIN 300 COMETENTRATOR wa 


100-—240V power supply | 
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The following hardware features are supported on the Cisco VPN 3005 Concentrator: 
m Height—1U 
= Memory—32 MB SRAM, which is standard 
m= Encryption—Software-based 
— Data Encryption Standard (DES) 
— 3DES 
— Advanced Encryption Standard (AES) 
m= Scalability—Up to 100 simultaneous sessions 
m Network interface 
— Two auto-sensing, full duplex 10/100BaseT Ethernet interfaces. 


— The public interface connects to the Internet. 
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— The private interface connects to the private corporate network. 


m Power supply—AC operates at 100—240V and 50/60 Hz with universal power factor 
correction 


m Hardware—Not upgradeable 


m Software—Upgradeable 
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Cisco VPN 3015 Concentrator 
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CHSCO VIN 3000 COMCENTRATOR, mer 


SEP/SEP-E 
module 
slots 


100-240V power 
supplies load sharing 
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The following hardware features are supported on the Cisco VPN 3015 Concentrator: 
= Memory—64 MB SRAM, which is the standard 
m = Encryption—Software-based 
— DES, 3DES, and AES encryption 
m= Scalability—Up to 100 simultaneous remote connections 
= Network interface 
— Three auto-sensing, full duplex 10/100BaseT Ethernet interfaces. 
— The public interface connects to the Internet. 
— The private interface connects to the private corporate network. 
— The external interface connects to the DMZ. 
m Power supply 
— AC operates at 100—240V and 50/60 Hz with universal power factor correction 
— Replaceable power supply 


m= Upgradeable 
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Cisco VPN 3030 Concentrator 
aay Cisco.com 


CISOO VEN 3009 COMCENTRATOR na 


SEP/SEP-E 
module 
slots 


100-240V power 
supplies load sharing 
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The following hardware features are supported on the Cisco VPN 3030 Concentrator: 
m= Memory—128 MB SRAM, which is the standard 
m Encryption 
—  Hardware-based encryption 
m SEP/SEP-E encryption module 
m Programmable Digital Signal Processor (DSP)-based security accelerator 
m DES, 3DES, and AES encryption 
— Software-based—AES 128, AES 192, and AES 256 encryption 
= Scalability 
— Equipped with one SEP/SEP-E module 
— Upto 1,500 simultaneous remote connections 
m Network interface 
— Three auto-sensing, full duplex 10/100BaseT Ethernet interfaces. 


— The public interface connects to the Internet. 
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— The private interface connects to the private corporate network. 
— The external interface connects to the DMZ. 
m Power supply 
— AC operates at 100—240V and 50/60 Hz with universal power factor correction 
— Replaceable power supply 
—  Hot-swappable with optional redundant power supply 


m= Upgradeable 
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Cisco VPN 3060 Concentrator 


eer Cisco.com 


CISCO VIN 3000 COMCENTRATOR ma, 


SEP/SEP-E 
module 
Slots 


100-—240V power 
supplies load sharing 
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The following hardware features are supported on the Cisco VPN 3060 Concentrator: 
m= Memory 
— 256 MB SRAM, which is the standard 


— 512 MB SRAM, upgradable 


Note To take advantage additional memory, you must update the VPN Concentrator Manager to 
version 4.0, and update the VPN Concentrator Bootcode to version 4.0. 


m Encryption 
— Hardware-based encryption 
m SEP/SEP-E encryption module 
m Programmable, DSP-based security accelerator 
m DES, 3DES, and AES encryption 
—  Software-based encryption—AES 128, AES 192, and AES 256 
= Scalability 


— Equipped with a total of two SEP/SEP-E modules 
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— Up to 5000 simultaneous remote connections 
m Network interface 
— Three auto-sensing, full duplex 10/100BaseT Ethernet interfaces. 
— The public interface connects to the Internet. 
— The private interface connects to the private corporate network. 
— The external interface connects to the DMZ. 
m Power supply 
— AC operates at 100-—240V and 50/60 Hz with universal power factor correction 
— Standard hot-swappable, redundant power supply 


m Upgradeable 
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Cisco VPN 3080 Concentrator 
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The following hardware features are supported on the Cisco VPN 3080 Concentrator: 
m= Memory 
— 256 MB SRAM, which is the standard 


— 512 MB, upgradeable 


Note To take advantage of additional memory, you must update the VPN Concentrator Manager 
to version 4.0, and update the VPN Concentrator Bootcode to version 4.0. 


m Encryption 
— Hardware-based encryption 
m SEP/SEP-E encryption module 
m Programmable, DSP-based security accelerator 
m DES, 3DES, and AES encryption 
—  Software-based encryption—AES 128, AES 192, and AES 256 
= Scalability 


— Equipped with two active and two inactive SEP/SEP-E modules 
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— Up to 10,000 simultaneous remote connections 
m Network interface 
— Three auto-sensing, full duplex 10/100BaseT Ethernet interfaces. 
— The public interface connects to the Internet. 
— The private interface connects to the private corporate network. 
— The external interface connects to the DMZ. 
m Power supply 
— AC operates at 100-—240V and 50/60 Hz with universal power factor correction 
— Standard hot-swappable, redundant power supply 


m Migration to 3080—Factory upgrade 
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The following are the LEDs found on the front of the Concentrator: 


LED Indicator 


System 


Ethernet Link Status 1 
23 


Expansion Modules 
Insertion Status 


Expansion Module Run 
Status 


Fan Status 


Power Supplies A B 


Green 


Power on; normal 


Steady light = 
Connected to the 
network and enabled 


Blinking light = 
Connected and 
configured, but 
disabled 


The SEP/SEP-E 
module is installed. 


The SEP/SEP-E 
module is operational. 


Operating normally 


Installed and operating 
normally 


Amber 


System has crashed 
and halted 


NA 


NA 


NA 


Not running or below 
normal revolutions per 
minute (RPM) 


Voltage outside of 
normal range 


Active Sessions 


Off 


Power off; all LEDs are 
off 


Not connected to the 
network or not enabled 


SEP/SEP-E not 
installed in system 


If installed, SEP/SEP-E 
failed diagnostics or the 
encryption is not 
running 


NA 


Not installed 
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Front LEDs (cont.) 
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System Ethernet Link Status Expansion Modules 
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anneal 


Run Status 
12 3 4 


Fan Status Powor Supplies 


A ( Active Sessions 


Throughput 


CPU Utilization 


B 


The following are additional LEDs found on the front of the Concentrator: 


LED Indicator Green Amber Off 

CPU Utilization A statistic is selected NA Not selected 
for display. 

Active Sessions A statistic is selected NA Not selected 
for display. 

Throughput A statistic is selected NA Not selected 
for display. 
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Rear LEDs 
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The following are the LEDs for the Ethernet interfaces found on the back of the Concentrator: 


LED Indicator 


Link 


Tx 


Green 


Carrier detected; 
normal 


Transmitting data; 


Amber 


NA 


NA 


Off 


No carrier detected; 
error 


Not transmitting data; 


Coll 


normal 


NA 


Data collisions are 


idle 


No collisions; normal 


100 


detected 
NA 


The speed is set to 100 


Mbps. 


The speed is set to 10 
Mbps. 


The following are the LEDs for the SEP/SEP-E modules found on the back of the Concentrator: 


LED Indicator 


Power 


Green 


Amber 
NA 


Off 


Power on; normal 


Status 


The Encryption code is 
running. 


NA 


Power off; error 


The module failed; 
diagnostics or the 
encryption code is not 
running. 
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Back Panel 


Cisco.com 
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module 
slots 


100-—240V power 
supplies load sharing 


External 
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The back panel of the Concentrator has the following interfaces and features: 
m Power supply 
— Replaceable power supply modules 
— AC operates at 100—240V and 50/60 Hz with universal power factor correction 
— Hot-swappable with redundant power supplies 
m Network interface 
— Three auto-sensing, full duplex, 10/100BaseT Ethernet interfaces 
— The public interface connects to the Internet 
— The private interface connects to the private corporate network 
— The external interface connects to the DMZ 
= Console port 
— Changes to its default setting of 9600 8N1 


— Used for the CLI 
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Feature 3030 3060 
Height 


Performance 


Simultaneous Users 


Site-to-Site Tunnels 


Encryption 


Memory 


Power Supplies 
SEP/SEP-E Modules 


Upgradeable 


The table can be used to determine which model is best for your environment. The top row lists 
the five models in the Concentrator family. The left column lists some of the Concentrator’s 
features. 


Note For planning purposes, a simultaneous user is considered to be a remote access VPN user 
connected in all tunneling modes. A session includes 1 (Internet Key Exchange) IKE Security 
Association (SA) and 2 unidirectional Internet Protocol Security (IPSec) SAs. For 
environments with rekeying or split tunneling, using a VPN remote access load-balancing 
environment with spare capacity is recommended since these particular sessions will utilize 
additional system resources that otherwise would be used to support additional users. In 
mixed environments where a Concentrator must support both remote access and site-to-site 
tunnels, the site-to-site tunnel count is subtracted from the overall simultaneous user 
capability. For example, a 3060, which has 50 site-to-site tunnels, cannot exceed 4950 
remote access sessions. 
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Benefits and Features 


This topic discusses the benefits and features of the Cisco VPN 3000 Concentrator Series. 


SEP/SEP-E 


ee Cisco.com 


MM power 
STATUS 


SEP-200U 


DSP-based hardware encryption—1,500 to 

5,000 simultaneous sessions 

¢ SEP—Provides DES and 3DES hardware-based 
encryption 


e SEP-E—Provides DES, 3DES, and AES 
hardware-based encryption 
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The Scalable Encryption Processor (SEP/SEP-E) hardware-based encryption module enables 
you to offload processor-intensive DES, 3DES, and AES encryption tasks to hardware. The 
following features are supported: 
m DSP-based hardware encryption 

— SEP/SEP-E is based on the Analog Devices DSP encryption engine. 

— Encryption or decryption is offloaded to DSP-based hardware. 

— DSP can be reprogrammed as existing standards change and new standards emerge. 
m SEP—DES and 3DES hardware-based encryption 
m SEP-E—DES, 3DES, and AES hardware-based encryption 
m Performance—Able to support up to 100 Mbps of encrypted throughput at wire speed 


m Sessions 


— 3005 and 3015—Provides 100 simultaneous sessions using software-based encryption 
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— 3030—Provides 1,500 simultaneous sessions with one SEP/SEP-E module 
— 3060—Provides 5,000 simultaneous sessions with two SEP/SEP-E modules 


— 3080—Provides 10,000 simultaneous sessions with two SEP/SEP-E modules and an 
upgraded Concentrator chassis 


Note The Concentrator uses either SEP or SEP-E modules, not both. Do not install both on the 
same device. If you install an SEP-E module on a Concentrator that already contains an 
SEP module, the Concentrator disables the SEP module and uses only the SEP-E module. 
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SEP/SEP-E Redundancy 


Cisco.com 


SEP/SEP-E SEP/SEP-E 
redundancy redundancy 


Redundancy 
° Top-to-bottom 
° Side-to-side 


The Concentrator can contain up to four Scalable Encryption Processor (SEP/SEP-E) modules 
for maximum system throughput and redundancy. Two SEP/SEP-E modules are online while 
the other two SEP/SEP-E modules are hot-running spares. These additional modules provide 
redundancy in case of module failure. 


SEP/SEP-E redundancy requires no configuration. It is always enabled and completely 
automatic; no operator intervention is required. 


Redundancy is from top to bottom, which is referred to as a column. If the top SEP/SEP-E fails, 
the bottom SEP/SEP-E takes over. The Concentrator automatically switches all the active 
sessions to the redundant SEP/SEP-E. No sessions are lost. 


If both SEP/SEP-Es in a column fail, the sessions are handled by the SEP/SEP-Es in the other 
column. In this scenario, sessions will be lost. The users need to re-establish their sessions. 
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Concentrator redundancy applies only to installations where two or more Concentrators are in 
parallel. The public interfaces of all Concentrators are located on a common LAN. All private 
interfaces of all Concentrators are located on a different common LAN. Virtual Router 
Redundancy Protocol (VRRP) manages automatic switchover from one Concentrator to another 
in a redundant installation. Automatic switchover provides you access to the VPN even if one 
Concentrator is out of service for some reason (for example, system crash, power failure, 
physical interface failure, system shutdown, or reboot). 


One Concentrator is the master system, and the others are backup systems. A backup system 
acts as a virtual master system when a switchover occurs. For IPSec LAN-to-LAN connections, 
switchover is fully automatic. A new tunnel is re-established automatically. No further action is 
required. 


For IPSec and Point-to-Point Tunneling Protocol (PPTP) client-to-LAN connections, you are 
disconnected from the failing system. You are notified of the disruption and can reconnect 
without changing any connection parameters. 


Switchover typically occurs within three to ten seconds. Switch back can be performed 
manually at a time that is convenient for the administrator. 
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Concentrator Backup LAN-to-LAN 
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The Backup LAN-to-LAN feature lets you establish redundancy for your LAN-to-LAN 
connection. Unlike VRRP, which provides a failover for the Concentrator, Backup LAN-to- 
LAN provides a failover for the connection itself. Although VRRP and Backup LAN-to-LAN 
each provide ways of establishing continuity of service if a Concentrator fails, the Backup 
LAN-to-LAN feature provides certain advantages over VRRP as follows: 


m You can configure Backup LAN-to-LAN and load balancing on the same device, but you 
cannot configure VRRP and load balancing on the same Concentrator. 


m Redundant Backup LAN-to-LAN peers do not have to be located at the same site. VRRP 
backup peers cannot be geographically dispersed. 


Note The Backup LAN-to-LAN feature does not work in conjunction with VRRP. If you set up a 
Backup LAN-to-LAN configuration, disable VRRP. 
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Load Balancing 


Cisco.com 
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Load balancing distributes the connection load across multiple Concentrators. Rather than 
loading up one Concentrator at a time, load balancing spreads the connection across multiple 
Concentrators. In this way, individual LAN ports are used less. Each CPU is also less used, so 
latency and response time improves. It scales to a large number of Concentrators with no 
additional impact on performance. It also provides a high degree of resiliency to remote users; 
failure of a Concentrator does not cause a system to collapse. 


Load Balancing consists of three parts: 


m Cluster—A group of Concentrators working together as a single entity. The cluster is 
known by one IP address to the outside client space. This virtual IP address is not tied to a 
specific physical device in the VPN cluster but is serviced by the cluster virtual master. The 
virtual IP address is a valid routable address. 


m Client—The basic strategy allows clients to initiate a connection to a known address, also 
known as a virtual IP address. The cluster always accepts the connection. During the 
second message of the IKE exchange, the cluster virtual master sends back to the client a 
secure, redirect notify message with the address of the least-loaded Concentrator. The client 
restarts IKE phase | with the new specified address, which is the public interface of the 
least-loaded Concentrator. Load balancing is performed on active sessions at connection 
time. 


m= Load—The virtual cluster master maintains load information from all other non-masters. 
Each non-master sends load information in the “Keep Alive” message exchange to the 
master. The load is calculated as a percentage of current active sessions divided by the 
configured maximum allowed connections. The administrator can limit the number of 
comnections in a Concentrator. 
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Note The Concentrator can perform only VRRP or load balancing, not both. 
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Client Support 


This topic covers the broad client support of the Cisco VPN 3000 Concentrator Series. 


Client Support 


Secure VPN session 


Clients 
« Windows Access 
* Linux * Analog Tunneling 


* Solaris ° ISDN protocols 
+ Mac * DSL * IPSec 


° Certicom * Cable » L2TP over 
IPSec 


» PPTP 
» L2TP 


* Wireless 


Cisco.com 


=| Web server 


Corporate office 


= . 
S File 
server 


Another feature of the Cisco VPN 3000 Concentrator Series is the broad client support. The 
following clients and protocols are supported by the Concentrator: 


m Broad client support 
— Windows client 
— Linux client 
— Solaris client 
— Mac client 
—  Certicom client 
m Tunneling protocols 
— IPSec client 


— PPTP client in Windows Dial-up Networking 1.3 
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— L2TP over IPSec client in Windows 2000 
— L2TP 
m Access methods 
— Analog 
— ISDN 
— DSL 
— Cable 
— Wireless 


= Unlimited Cisco VPN Client software licenses 
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Cisco VPN Windows Software Client 
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The following are system requirements for the Cisco VPN Client: 

m Operating System 
— Microsoft Windows 98 or Windows 98 (second edition) 
— Microsoft Windows NT 4.0—Running service pack 6 or higher 
— Microsoft Windows ME 


— Microsoft Windows 2000 


— Microsoft Windows XP (Cisco VPN Client release 3.1 or higher) 
m Cisco VPN minimum sytem requirements 

— Cisco VPN 3000 Series Concentrator (release 3.0) 

— PIX Firewall (release 6.0) 

— IOS 12.2(8)T 
m Hard disk space—50 MB 
m= Memory 


— 32 MB for Microsoft Windows 95 and 98 
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— 64 MB for Microsoft Windows NT 
— 32-64 MB for Microsoft Windows ME 
— 64 MB for Microsoft Windows 2000 


— 128 MB for Microsoft Windows XP (256 MB, recommended) 
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Cisco VPN Windows Client— 
Firewall Features 
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The Cisco VPN Windows client offers support for a firewall feature. The firewall feature is 
designed to enhance security for Microsoft Windows-based PCs running the release 3.5 and 
higher Cisco IPSec client. The feature is applied in one of three modes, are you there (AYT), 
stateful firewall (always on), and centralized protection policy (CPP): 


m= AYT—For security reasons, a network administrator may require remote PCs to be running 
a firewall application before allowing VPN tunnels to be built. The “are you there” feature 
verifies the presence of a firewall and reports that information back to the concentrator. 
Depending on the PC’s response, the Concentrator can permit or deny the PC’s IPSec 
tunnel. 


m Stateful firewall (always on)—The stateful firewall module can only be enabled or disabled 
by the remote client. With this mode, a default policy is loaded on the firewall. The default 
firewall filter blocks all traffic inbound (to the client) that is not related to an outbound 
session (from the client). Once the user enables the stateful firewall, it is always on even 
when there are no established VPN tunnels. 


m= CPP—Enables network administrators to define a set of rules (policies) to allow or drop 
traffic on connected VPN Clients. These policies are pushed from the concentrator to the 
Cisco VPN Windows Client at connection time. The VPN Client passes this policy to the 
firewall module on the client PC. The Concentrator can push policy to the Cisco Integrated 
Client (CIC) firewall and the Zonelabs, Zone Alarm and Zone Alarm-Pro, firewall 
applications. CPP is only enforced while the VPN Client is connected. 


The Cisco VPN Windows Client firewall feature is discussed in a later lesson. 
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Cisco VPN Windows Client— 
Smartcard Support 
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A Smartcard can be used to store information, such as a digital certificate. Unlike most digital 
certificates that are stored on a computer, with a Smartcard, you bring your authentication with 
you (the user, not just the computer, can be authenticated). To use a Smartcard, a user must 
have a Smartcard reader installed in their computer as well as driver software required to 
support the Smartcard reader. When a Smartcard is inserted in to the reader, the user must know 
a PIN in order to gain access to the card. Smartcards do not replace digital certificates; they act 
as a secure and portable storage mechanism for them. The Cisco VPN Windows Client supports 
Gemplus, Aladdin, and Activcard Smartcards. 
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Cisco VPN Linux and Solaris Software 
Clients 
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The Cisco VPN software client was expanded to include Linux, Solaris, and Mac operating 
systems. The system requirements for Linux and Solaris client types are as follows: 


m Linux—Red Hat version 6.2 Linux (Intel), or compatible distribution, using kernel version 
2.2.12 or later 


— Connection type—Point-to-Point Protocol (PPP) and Ethernet 
— Tunneling Protocol—IPSec 


— User Authentication—RADIUS, Rivest, Shamir, and Adleman (RSA) SecurID, NT 
Domain, VPN Internal user list, and Public Key Infrastructure (PKI) digital certificates 


— VPN Client Administration—Command line only 
— Hard disk space—50 MB 
— Memory—32 MB 
m Solaris UltraSPARC—32-bit or 64-bit Solaris kernal operating system version 2.6 or later 
— Connection type—PPP and Ethernet 
— Tunneling Protocol—IPSec 


— User Authentication—RADIUS, RSA SecurID, NT Domain, VPN internal user list, 
and PKI digital certificates 
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— VPN Client Administration—Command line only 
— Hard disk space—50 MB 


— Memory—32 MB 
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Cisco VPN Mac OS X Software Client 
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The Cisco VPN Mac OS X Client supports both a command line interface (CLI) and a 
graphical user interface (GUI). The system requirements for the Mac OS X client are as 
follows: 

m Mac OS X version 10.1.0 or later 

m Connection type—Ethernet only 


m Tunneling Protocol—IPSec 


m User Authentication—RADIUS, RSA SecurID, NT Domain, VPN Internal user list, and 
PKI digital certificates 


m VPN Client Administration—GUI and CLI 


m Hard disk space—50 MB 


The GUI enables the user to manage the VPN connections quickly and easily. The management 
functionality available from the GUI includes the following: 


m Certificate management 
m Profile management 
m™ Connection management 


m Log management 
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The Cisco VPN 3002 Hardware Client has the Client software built into it, enabling the 
Hardware Client to emulate the Cisco VPN 3000 Software Client. With the Hardware Client, 
you can plug remote site PCs into the Hardware Client, instead of having to load the Cisco 
VPN Client, or additional applications on remote site PCs. 


There are two versions of the Hardware Client: 
m 3002—One private and one public interface 
m 3002-8E 


— One public interface, and the private interface is a built-in 8 port 10/100BaseT Ethernet 
switch (switch is locked in, not configurable) 


— Auto MDIX, which eliminates crossover cables 


There are two modes of operation for the Hardware Client: client mode and network extension. 
These modes are configurable via the CLI or GUI. They can be remotely managed via IPSec 
tunnel or secure shell (SSH). 


LEAP (Lightweight Extensible Authentication Protocol) Bypass lets LEAP packets from 
wireless devices behind a VPN 3002 travel across a VPN tunnel prior to individual user 
authentication, when enabled. This enables workstations using wireless access point devices 
establish LEAP authentication. Then they authenticate again per individual user authentication. 


Administrators enable LEAP Bypass on a group basis at the central site, via a check box on the 
VPN Concentrator HW Client tab on the Group configuration page. Administrators can create a 
banner on the VPN 3000 Concentrator and push it to the VPN 3002. This gives organizations 
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the ability to provide information to users about their network, terms for use, liability, and other 
issues. 


The Hardware Client is powered by an external power supply. It auto-senses the voltage, either 
110V or 220V. 


4-38 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Hardware Versus Software Client 
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You must decide which client to employ in the network, hardware, software, or both. Two 
fictitious companies are characterized to better explain the clients: Delicious Donuts and 
MetaRay System Engineers. 


m Delicious Donuts—If you have a customer who wants to take advantage of the savings of a 
VPN and they have 10,000 sites small office/home office (SOHO) within the US, you 
would want to choose the Hardware Client. The Software Client is built into the Hardware 
Client. Because it can be pre-configured and then sent to remote offices where it is plugged 
in, cabled to the local LAN, and ready to go. It supports multiple devices on the local LAN, 
and no applications have to be loaded to any of the local PCs. The Hardware Client is smart 
enough to launch a tunnel for any traffic bound for the corporate network. 


m MetaRay System Engineers—You have a company that has system engineers (road 
warriors) who need to call back to the home office while on the road. To do so, they would 
use the Software Client, because the system engineer loads the Software Client on the PC 
and launches it only when necessary. The Hardware Client is not feasible because the 
system engineer would need to use another piece of equipment. 
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Certicom VPN Client Support 
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Certicom offers technology through the original equipment manufacturer (OEM) model, 
embedding security solutions in a wide variety of third-party products. They have implemented 
an IPSec client to run on cell phones, personal digital assistants (PDAs), and so on. When the 
devices perform standard IPSec, it is very CPU-intensive. Diffie-Hellman (DH) groups | and 2 
take minutes to generate a key. Because of this, Certicom developed DH Group 7, Elliptic 
Curve Cryptography (ECC) support, to provide a key that can be generated in a short time (less 
than five seconds). 


You must have the following to use Certicom VPN Client support: 
m Certicom VPN Client software 
m ECC (DH Group 7) protocol 


= Concentrator to terminate an IPSec client-to-LAN tunnel 


However, the Certicom client does not support load balancing. Where load balancing requires 
the client to accept and interpret IKE redirect messages, the Certicom client does not support 
this functionality. 
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The Concentrator supports two configuration options: CLI and GUI. To use these options, they 
have to be configured correctly. 


For the CLI configuration option, the terminal is set for the following: 
m Data bits =8 

m Parity =N 

m Stop bits = 1 


m Speed = 9600 


The web interface supports both HTTP and HTTP over secure socket layer (SSL). Operators 
can use either Internet Explorer or Netscape Navigator. With Internet Explorer and Netscape 
Navigator, the software revisions must be 4.0 or higher with both cookies and Java scripts 
enabled. Use either browser to configure the Concentrator with one exception—Internet 
Explorer must be used when programming digital certificates. 
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There are various Cisco network management options available to the administrator. The 
solutions include Simple Network Management Protocol (SNMP) monitoring, Syslog 
monitoring, and Cisco VPN 3000 Concentrator Series configuration. The solutions range from 
small to large networks and from general network to security specific management platforms. 
The following Cisco platforms can monitor and manage the Concentrator: 


m™ Cisco Info Center (CIC)—A service-level alarm monitoring and diagnostics tool that 
provides network fault and performance monitoring, network trouble isolation, and real- 
time service-level management for large networks. CIC is designed to help operators focus 
on important network events, offering a combination of alarm processing rules, filtering, 
customizable alarm viewing, and partitioning. CIC can support administrative VPNs among 
several Network Operations Centers (NOCs). In some networks, provincial or regional 
NOCs require a partial view of the network as a local network segment to facilitate local 
problem detection and resolution. Regional NOCs may also require a localized topological 
view of the local network portion. Global NOCs support regional NOCs from a central 
location and provide a view of the entire network and global fault monitoring. CIC focuses 
on fault monitoring. 


m CiscoView—A universal graphic device management application that provides real-time 
display and monitoring of Cisco routers, switches, hubs, concentrators, and access servers. 
Cisco View plugs into in third party SNMP management platforms such as HP OpenView, 
NetView, Whats Up Gold, and Snmpc. The Cisco View application supports graphical 
views of the chassis, device performance information, top ten lists, system summary, 
session summary (Active, Max, Total), and routing table of Cisco devices. Cisco View runs 
on NT and Solaris. Cisco View is a general management application. 
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m CiscoWorks VPN/Security Management Solution (VMS)—An integral part of the SAFE 
blueprint, combines web-based applications for configuring, monitoring and 
troubleshooting enterprise VPNs, firewalls, and network-based and host-based intrusion 
detection systems (IDS). VMS delivers the industry's first robust and scalable foundation 
and feature set that addresses the needs of small and large-scale VPN and security 
deployments. Typical devices managed include the following: PIX Firewalls, Cisco VPN 
3000 Series Concentrators, 1700, 2600, 3600, 7100 and 7200 Series routers, Cisco IDS 
devices, Catalyst 6000 IDS Modules, and IDS for the Catalyst. 


m CiscoWorks—Comprised of multiple software applications. Two of these applications are 
the Cisco VPN Monitor and the Cisco Resource Manager Essentials. The following 
provides more information on each of these software applications: 


— Cisco Resource Manager Essentials (RME)—A suite of web-based applications 
offering network management solutions for Cisco switches, access servers, routers, and 
Concentrators (NT & Solaris based). It supports the ability to collect detailed inventory, 
collect and report on SYSLOG messages, generate inventory reports (hardware, 
software, system info) and distribute software to all Concentrators in the network. 


— Cisco VPN Monitor—A web-based management tool that allows network 
administrators to collect, store, and view information on IPSec VPN connections for 
remote access or site-to-site VPN terminations. Cisco VPN Monitor manages VPNs 
that are configured on Cisco VPN 3000 Series Concentrators, VPN Series routers, and 
Cisco 7100, 1700, 2600, 3600 or 7200 Series routers. Operational status, performance, 
and security information can be viewed at a glance, providing status information on 
IPSec VPN implementations. 


m™ Cisco IP Solution Center is an end-to-end network-management solution that scales as your 
organization evolves. As a unified service-management solution for Cisco routing, 


switching, and security products, the Cisco IP Solution Center manages the following: 


— VPNs based on Multiprotocol Label Switching (MPLS) Border Gateway Protocol 
(BGP), IPSec, ATM over MPLS, and Frame Relay over MPLS 


— Metro Ethernet services such as Ethernet Virtual Connection services (EVCS) 
transparent LAN services (TLS); and Ethernet to the home, building, or campus 
(ETTx) 


— MPLS traffic engineering and MPLS-based bandwidth protection solution 


— Security services such as IPSec VPNs, managed firewalls, and Network Address 
Translation (NAT) 
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Summary 


This topic summarizes the information you learned in this lesson. 


Summary 
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¢ There are five models in the Cisco VPN 3000 
Concentrator Series: 3005, 3015, 3030, 3060, 
and 3080. 


* The Cisco VPN 3000 Concentrator Series 
features include a scaleable encryption 
processor, strong encryption algorithms, 
broad client support, and broad access 
method support. 
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Configure the Cisco VPN 3000 
Series Concentrator for Remote 
Access Using Pre-Shared Keys 


Overview 


This lesson explains how to configure Cisco IOS IPSec using pre-shared keys for 
authentication. After presenting an overview of the process, the lesson shows you each major 
step of the configuration. It includes the following topics: 

m Objectives 

m Overview of remote access using pre-shared keys 

m Initial configuration of the Cisco VPN 3000 Series Concentrator for remote access 

m= Browser configuration of the Cisco VPN 3000 Series Concentrator 

= Configuration of users and groups 

m= In-depth configuration information 

= Configuration of the Cisco VPN Software Client for Windows 


= Summary 


m= Lab exercise 


Objectives 
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This topic lists the lesson’s objectives. 


Objectives 
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Upon completion of this lesson, you will be able to 
perform the following tasks: 


¢ Configure the Cisco VPN 3000 Series Concentrator LAN 
interfaces via the CLI. 


¢ Configure the Cisco VPN 3000 Series Concentrator 
Client-to-LAN application using the browser. 


¢ Configure the IPSec Client. 
¢ Monitor the IPSec Client-to-LAN tunnel. 


Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Overview of Remote Access Using Pre-Shared 
Keys 


This topic presents an overview of remote access using pre-shared keys. 
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Consider the following scenario. Remote users need to dial into the corporate office and access 
e-mail, corporate presentations, order entry, and engineering. In addition, Corporate 
Information Services wants remote users to access corporate resources fast, inexpensively, and 
as securely as possible. 


Implementing a remote-access virtual private network (VPN) with the Cisco VPN 3000 Series 
Concentrator and the Cisco VPN Software Client is the right choice. It enables remote users to 
access the corporate resources they require. Corporate Information Services meets their speed, 
expense, and security requirements. 
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The Client-to-LAN VPN consists of four components: IPSec client software, Point-to-Point 
Protocol (PPP), IPSec standards, and the Concentrator. 


m IPSec client software—The IPSec client software is not native to the Microsoft Windows 
operating system and must be loaded on the PC. It is used to encrypt, authenticate, and 


encapsulate data. It also terminates one end of the tunnel. 


m= PPP—For remote access applications, the PC relies on PPP to establish a physical 
connection to the local ISP or the Internet. 


m IPSec standards—After the ISP authenticates the remote user, the user launches the IPSec 
client. IPSec establishes a secure tunnel or session through the Internet to the Concentrator. 


= Concentrator—The Concentrator terminates the opposite end of the tunnel. The 
Concentrator decrypts, authenticates, and de-encapsulates the data. 
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IPSec Client-to-LAN Tunneling 
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In the example in the figure, a telecommuter needs to access information on the corporate 
server, 10.0.1.10. The source address is the virtual IP address of the Software Client, 10.0.1.20. 
The Concentrator or the Dynamic Host Configuration Protocol (DHCP) server usually supplies 
it to the Software Client, which gives the Software Client the appearance of being resident on 
the VPN. 


Any data flowing from the server to the Software Client must be protected as it traverses the 
Internet. Therefore, information flowing between the server and the Software Client is 
encrypted, authenticated, and encapsulated using the Encapsulating Security Payload (ESP) 
header to maintain confidentiality and data integrity. 


However, this practice presents an issue. If the payload is encapsulated and encrypted, the 
routers in the Internet are unable to read the source and destination addresses of the packet. The 
routers are thus unable to route the packet. To solve this problem, an additional IP header is 
added to the ESP-encapsulated data. The outside IP header is used to route the information 
through the network using a routable address. The source address is the network interface card 
(NIC) of the Software Client. The destination address is the public interface of the 
Concentrator. The Software Client-to-server data is sent over the network using an [P-in-IP 
encapsulation. Upon receipt, the Concentrator strips the outer IP header, decrypts the data, and 
forwards the packet according to the inside IP address. 
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The Software Client works with the Concentrator to create a secure connection, called a tunnel, 


between your computer and the private network. It uses Internet Key Exchange (IKE) and 
IPSec tunneling protocols to make and manage the secure connection. 


Some of the operations that the Software Client performs, which are mostly invisible to you, 
include the following: 


= Negotiating tunnel parameters: addresses, algorithms, lifetime, and so on 
m Establishing tunnels according to the parameters 


m Authenticating users by ensuring that users are who they say they are through usernames, 
group names, passwords, and digital certificates 


m Establishing user access rights: hours of access, connection time, allowed destinations, 
allowed protocols, and so on 


m Managing security keys for encryption and decryption 
m Establishing the IPSec session 


m= Authenticating, encrypting, and decrypting data through the tunnel 
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Initial Configuration of the Cisco VPN 3000 
Series Concentrator for Remote Access 


This topic explains how to cable the Cisco VPN 3000 Series Concentrator and establish a 
management session between a PC and the Concentrator. 
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The Concentrator is equipped with universal power factor correction, 100—240 volts alternating 
current (VAC). A power cable with the correct plug is supplied. When the Concentrator arrives 
from the factory, you can plug it in and power it up. Connect the corporate LAN to the private 
interface of the Concentrator. Cable the Internet side of the corporate network to the public 
interface of the Concentrator. LAN ports can be programmed for 10-Mbps or 100-Mbps 
Ethernet. 


IP addresses are not preprogrammed into the Concentrator at the factory. Use the console port 
to program in the correct IP addresses for the VPN private IP address. The serial console port 
needs to be configured for 9600 bps, 8 data bits, no parity, and 1 stop bit (8N1). When the 
addresses have been programmed, the operator can access the Concentrator via the browser. 
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After the initial private IP address configuration, the remaining parameters can be configured in 
one of two ways: via the command line interface (CLI) or via a browser. For beginners, the 
menu-driven browser is recommended. The CLI is for those individuals who understand the 
menu structure. The CLI is accessed by either the direct connect console port or a LAN port 
Telnet session. 


The web interface supports both HTTP and HTTP over Secure Sockets Layer (SSL). Operators 
can use either Internet Explorer or Netscape Navigator Software Revisions 4.0 or higher with 
both cookies and JavaScript enabled. Use either browser to configure the Concentrator, with 
one exception—Internet Explorer must be used when programming digital certificates. 
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‘Welcome to the VPN 3000 Concentrator Manager. 
In the left frame or the navigation bar above, click the function you want: 


+ Configuration -- to configure all features of this device. 
« Administration -- to control administrative functions on this device. 
« Monitoring -- to view status, statistics, and logs on this device, 


‘The bar at the top nght has: 


Main -- to retum to this screen 
« Help -- to get help for the current screen 

# Support -- to avvess VPN 3000 Conventrator support aud documentation. 
«Logout -- to log out of this session and return to the Manager login screen. 


‘Under the location bar in the upper right, these icons may appear. Click to 


© Save Fal -- save the active configuration and make it the boot configuration 
+ Save Needed Ed 
« Reset @ -- to temporarily reset statistics to zero. 

© Restore ® -- to restore statistics from their reset values 
© Refresh @ -- to refresh statistics. 


[@ internet 
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Main | Help | Support | Logout 
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The figure shows the main window of the Concentrator, which displays after you log into the 


device: 


m The top frame (Cisco VPN 3000 Series Concentrator Manager toolbar) provides quick 


access to Manager functions. 


m The left frame (table of contents [TOC]) provides the TOC to the Manager windows. 


m The main frame (Manager window) displays the current Manager window. You can 


navigate the Manager using either the TOC in the left frame or the Manager toolbar at the 


top of the frame. To navigate from the TOC, select a title on the left frame of the window, 


and the Concentrator opens the Manager window for that topic in the main frame. 


When you are finished with the configuration window, click Apply, which causes the 


configuration to take effect immediately. Click the Save Needed icon to save the changes to 


memory. If you reboot without saving, your configuration changes are lost. 
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Quick Configuration 
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VPN 3000 Main | Help | Support | Logout 


Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 


Welcome to the VPN 3000 Concentrator Series Manager 


The VPN 3000 Concentrator Series has booted, and you must now supply some configuration parameters to make it 
operational. 


To configure the mtintma! parameters, click here to start Quick Configuration. 


To configure al! features, click here to go to the Main Menu.. 
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There are two ways to configure the Concentrator: Quick Configuration and the main menu. 
Quick Configuration enables you to configure the minimal parameters for operation. It 
automatically enables remote IPSec Client connections via an ISP for a single user group. The 
main menu is used to add additional IPSec user groups and to configure all features 
individually. Using Quick Configuration, an IPSec remote access application can be 
programmed by accessing six windows. Using the main menu, the same application requires the 
operator to access 12 or more windows. The next topics take you through an IPSec remote 
access configuration example. 


Note You can run Quick Configuration only once. You must reboot to the factory default 
configuration to run it again. 
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Browser Configuration of the Cisco VPN 3000 
Series Concentrator 


After configuring the Cisco VPN 3000 Series Concentrator via the CLI, you can use the 
browser interface to configure the remaining items. This topic explains using the browser 
interface to configure the Concentrator. 
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Configure VPN 3000 Concentrator interfaces. 


« Ethemet 1 (Private) = the interface to your private network (internal LAN). 
« Ethernet 2 (Public) = the interface to the public networle 
« Ethemet 3 (External) = the interface to an additional LAN. 


Tf you modify the interface that you are currently using to connect to this device, you will break the connection, and you will have to restart from 
the login screen. 


Interface Status IP Address |Subnet Mask 
[Ethemet 1 (Private) UP 10.0.1.5 — |255.255.255. 0| 
Ethemet 2 (Public: UP [192, 168. 1.5 [255.255.255.0| 
Ethemet 3 (External) [Not Configured |0.0.0.0 0.0.0.0 | 


Back Continue 


The figure contains an example of the first Quick Configuration window. It displays the current 
configuration of the IP interfaces: 


m Private—Interface toward the internal network 
= Public—Interface toward the public network (Internet) 


m External—Interface toward the external network or Demilitarized Zone (DMZ) 


Remember, in this example, the private LAN interface was configured via the CLI. To 
configure the public LAN interface (toward the Internet), click the public interface hyperlink to 
access the public interface configuration window. 
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Public IP Interface 
MMMM ~~ ~SCOS*é«SCsco.com 


Ethernet 1 (private IP address) Ethernet 2 (public IP address) 
10.0.P.5 192.168.1.5 


You are modifying the interface you are using to connect to this device. If you make any changes, you will break the connection and you will have to restart from the login screen. 


Configuring Ethernet Interface 2 (Public). 


General Parameters 

Sel] Attribute Value Description 
© [Disabled [Select to disable this interface 
© [DHCP Client 
‘System Name 
 |Static IP Addressing 

IP Address [192,168.15 [Select to configure the IP Address and Subnet Mask Enter the IP Address and Subnet Mask for this interface 
Subnet Mask|[255.255 255.0 
Public Interface] [7 

MAC Address|00.90.A400.17.A9 

Filter||—None— 


elect to obtain the IP Address, Subnet Mask and Default Gateway via DHCP System Name may be required for DHCP), 


Speeal| 10/100 auto >| [Select the speed for this interface 


Duplex|[ Auto = [Select the duptex mode for this interface. 


MTUj[1500 [Enter the Maximum Transmit Unit for this interface (68 - 1500). 


Apply | Cancel 
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The window displayed in the figure is used to configure the public IP interface. The public IP 
interface can be configured in one of three ways: disabled, set as a DHCP client, or configured 
to use a static IP address. The public IP interface parameters are as follows: 


m Disabled radio button—The interface is enabled by default. Select the Disabled radio 
button to disable the interface. 


m DHCP Client radio button —Select the DHCP Client radio button if you want to enable 
this interface and use DHCP to obtain an IP address. In the System Name field, enter a 
name (such as VPNO1 for the Concentrator). This name must uniquely identify this device 
on your network. 


m Static IP Addressing radio button ——Select the Static IP Addressing radio button if you 
want to enable this interface and set the static IP address. In the IP Address field, enter the 
IP address for this interface using dotted decimal notation (for example, 192.168.1.5). Be 
sure that no other device is using this address on the network. In the Subnet Mask field, 
enter the subnet mask for this interface using dotted decimal notation (for example, 
255.255.255.0). The Manager automatically supplies a standard subnet mask appropriate 
for the IP address you just entered. For example, the IP address 192.168.1.5 is a Class C 
address, and the standard subnet mask is 255.255.255.0. You can accept this entry or 
change it. Note that 0.0.0.0 is not allowed. 


m Public Interface check box—Select the Public Interface check box to make this a public 
interface. 


m MAC Address field—This field displays the unique hardware MAC address for this 
interface. 
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m Filter drop-down menu—Click the Filter drop-down menu arrow and choose the public 
(default) filter, which allows only nonsource-routed inbound and outbound tunneling 
protocols and Internet Control Message Protocol (ICMP). The public filter is the default 
filter for Ethernet 2. 


m Speed drop-down menu—Keep the default value. 
m= MTU field—The maximum transmission unit (MTU) value specifies the packet size, in 


bytes, for the interface. Valid values range from 68 through 1500. The default value, 1500, 
is the MTU for Ethernet. 
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System Information 
MMMM SSS*S*«SCOWcom 


Assign a system name/hostname to this device. This may be required if you use DHCP to obtain an address. 


System Name |student]'VPN Enter a hostname for the system, e.g. vpn01. 


Set the time on your device. The correct time is very important, so that logging and accounting entries are accurate. 
The current time on this device is Friday, 23 February 2001 11:37:23. 


New Time [i738 {10 [February 423 42001 [(GMT-05:00) EST x] 
M Enable DST Support 
Specify a DNS server, which lets you enter hostnames rather than IP addresses in subsequent Manager fields 


DNS Server |0.0.0.0 Enter the IP address of your local DNS server. 
Domain Enter your Internet domain name; e.g. yourcompany.com. 


Default Gateway |192.168.1.1 Enter your default gateway. Leave at 0.0.0.0 for no default gateway. 


Continue | 
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Use the Configuration>Quick>System Info window to configure basic information about the 
Cisco VPN 3000 Series Concentrator: 


m System Name field—Enter a name (such as VPNO1) for the Concentrator in this field. This 
name must uniquely identify this device. 


m New Time fields and drop-down menus—Setting the correct time is very important so that 
logging and accounting entries are accurate. The fields show the current date and time on 
the device. The values shown in the New Time fields are the time on the browser PC, but 
any entries you make apply to the Concentrator. Enter the year as a four-digit number. 


m DNS Server field—Enter the IP address of your local Domain Name System (DNS) server, 
using dotted decimal notation (for example, 10.0.1.10). Specifying a DNS server lets you 
enter Internet hostnames (for example, vpn.company.com). 


= Domain field—Enter your Internet domain name. 


m Default Gateway field—Enter the IP address or hostname of the system to which the 
Concentrator should route packets that are not explicitly routed. In other words, if the 
Concentrator has no IP routing parameters (Routing Information Protocol [RIP], Open 
Shortest Path First [OSPF], or static routes) that specify where to send a packet, it will send 
it to the gateway specified in this field. This address must not be the same as the IP address 
configured on any Concentrator interface (for example, a default gateway may be to the 
perimeter router at 192.168.1.1). 
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Protocols 
MMMM MM ~SCOS*é«SCsco.com— 


Configuration | Quick | Protocols 


Select the tunneling protocols and encryption options that you want to enable. 


© Require Encryption (Chents without encryption will not gain access. Requires MSCHAP.) 

© Don't Require Encryption (Clients may optionally use encryption.) 

© Require Encryption (Clients without encryption will not gain access. Requires MSCHAP.) 

@ Don't Require Encryption (Clients may optionally use encryption.) 

Check to enable remote user connections via IPSec, LAN-to-LAN configurations are done outside of 
Quick Configuration. 


Back | Continue | 
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PPTP 


IPSec 
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Use the Configuration>Quick>Protocols window to configure the supported remote access 
protocols: Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and 
IPSec. The Concentrator can support all three protocols simultaneously. (However, for the sake 
of simplicity, only one application at a time is configured in the lab exercises.) Configure IPSec 
remote access, as shown in the figure, by selecting the IPSee check box. You cannot use Quick 
Configuration to configure [IPSec LAN-to-LAN applications. 


Copyright © 2005, Cisco Systems, Inc. | Configure the Cisco VPN 3000 Series Concentrator for Remote Access Using Pre-Shared Keys 5-15 


5-16 


Address Assignment 


Cisco.com 


DHCP server <q intemet 


10.0.1.10 DHCP address 


Select at least one method of assigning IP addresses to clients as a tunnel is established. The methods are tried in the order listed. 


1.  Chent Specified This method lets the client specify its own IP address. 


2 Per User This method assigns IP addresses on a per-user basis. If you use an authentication server (which you 
Z configure next) that has IP addresses configured, we recommend selecting this method. 


3. W DHCP Specify Server |10.0.1.10] 
4. [ Configured Pool Range Start 
Range End 


This method uses this device to assign IP addresses. 


Continue 
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In the remote access PC, there are two IP addresses: the NIC address and the virtual IP address. 
The Concentrator Address Assignment window allows you to define how the remote PC 


receives the second IP address. There are four possible methods for obtaining the virtual IP 
address from which you must choose: 


m Client Specified check box—Select this check box to enable the Software Client to specify 
its own IP address. For maximum security, it is recommended that you control IP address 
assignments and not use the Software Client-specified IP addresses. 

m Per User check box—Select this check box to assign IP addresses retrieved from an 
authentication server on a per-user basis. If you are using an authentication server (external 
or internal) that has IP addresses configured, using this method is recommended. 


m DHCP check box—Select this check box to use a DHCP server to assign IP addresses. 


m Configured Pool check box—Select this check box to use the Concentrator to assign IP 
addresses from an internally configured pool. 
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Authentication 


ao Cisco.com 


User 
authentication 


f 


Cisco VPN 
3000 Series 


NT 


domain 
10.0.1.10 


‘a, 


.__ Internet Concentrator 


Client 


Computer Name: BOSTON ————— 
Domain: Domain_BOSTON authentication server. 


Specify how to authenticate users under PPTP, L2TP or IPSec. You can use the internal server or an external authentication server. 
If you select the Jnternal Server, you must configure the intemal user database. You may configure additional servers using System 


Configuration. 
Server Type |NTDomain _¥| Selecting Jeterna! Server will let you add users to the internal user database. 
Authentication Server 


Address 
Server Port |0 Enter 0 for default port (139). 


10.0.1.10 Enter the IP address. 


Timeout |4 Enter the timeout for this server (seconds). 
Retries |2 Enter the number of retries for this server. 


Enter the NT Primary Domain Controller name for this 


Dumain Cuntruller Name [Bustur] 


Back Continue 
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Before remote users can gain access to the private corporate network, they must be 
authenticated. Use the Configuration>Quick>Authentication window to define the types of 


authentication servers: 


Server Type drop-down menu—Click the drop-down arrow and choose one of the 


following: 


RADIUS—An external Remote Authentication Dial-In User Service (RADIUS) server. 


NT domain—An external Windows NT domain server. Use the computer name, not the 
domain name. If you are unsure of the NT server computer name, refer to Start>Control 
Panel>System>Network Identification on your PC or ask your network administrator. 


Security Dynamics (SDI)—An external Rivest, Shamir, and Adleman (RSA) Security 
Inc. SecurID server. 


Kerberos/Active Directory—Supports authentication to Kerberos/Active Directory, 
which is the default authentication mechanism in Microsoft Windows 2000 and 
Windows XP. 


Internal server—The internal Concentrator authentication server (a maximum of 100 


groups and users). 


Authentication Server Address field—Enter the IP address of the Windows NT domain 
authentication server (for example, 10.0.1.10). 
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= Domain Controller Name field—Enter the Windows NT primary domain controller 
hostname for this server (for example, Boston). Do not use the domain name. 
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Configuration of Users and Groups 


This topic explains how to configure users and groups on the Concentrator. 


Groups and Users 


Cisco.com 


Groups: Users: 


Base group: Departments Individuals 


Corporate 


MIS VP of 


/Base/Sales MIS 


Customer Service 
/Base/Service 


Finance VP of 
/Base/Finance Finance 


Within a corporation, not everyone has the same access requirements: customer service 
engineers may require seven-day, 24-hour access; sales entry personnel need five-day, eight- 
hour access, and contract help might need access from 9 a.m. to 5 p.m., with restricted server 
access. The Concentrator can accommodate different access and usage requirements. You can 
define different rights and privileges on a group basis. A customer service engineer, sales entry 
person, and contractor can be assigned to different groups. Within each group, you can 
configure different access hours, access protocols, idle timeouts, and server restrictions. 


Within the Concentrator user management configuration tree, there are three group categories: 


= Default group—tThe default group is a default template. The majority of the corporation 
access rights and privileges are defined in this group. 


= Groups—lIndividual groups inherit the attributes of the default group, and you can then 
customize rights and privileges to meet the needs of specific groups. 


m Users—An individual user may require a unique set of privileges. 


By configuring the default group first, specific groups second, and users third, you can quickly 
manage access and usage rights for large numbers of users. 
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User and Group Policies 
MMMM ~SSS*é<“‘«‘«‘ CISCO 


PTP/L2| 
General Parameters 
Attribute Value Inherit? Description 


Access Hours||-No Restrictions- = 


Simultaneous Logins 
Minimum Password) Fy 
Length; 

‘Allow Alphabetic-Only 
Passwords 


a 


Select the accece houre assigned to thie group. 


a 


Enter the number of simultaneous logins for this group 


| 


a 


Enter the minimum password length for users in this group. 


Enter whether lo allow users with alphabelic-only 
passwords to be added to this group 


(minutes) Enter the idle timeout for this group rights 
and 
privileges 


Access 


a 


Idle Timeout| 


a 


Maximum Connect Time 


a 


(minutes) Enter the maximum connect time for this group 


Filer 


a 


Enter the filter assigned to this group 
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From the Group>General window, you can configure group attributes on a group-by-group 
basis: 


m™ Access Hours drop-down menu—Click the drop-down arrow and choose the named hours 
when group users can access the Concentrator (for example, M-F, 9-5). 


m Simultaneous Logins field—Enter in this field the number of simultaneous logins that 
group users are permitted. 


= Minimum Password Length field—Enter the minimum number of characters for group user 
passwords. Allow only alphabetic passwords. Select the check box to allow base-group 
user passwords with alphabetic characters only (the default). 


m= Idle Timeout field—Enter the time (in minutes). If there is no communication activity on 
the connection in this period, the system terminates the connection. Enter 0 to disable 
timeout and allow an unlimited idle period. 


m= Maximum Connect Time field—Enter the time in minutes. At the end of this time, the 
system terminates the connection. Enter 0 (the default) to allow unlimited connection time. 


m = Filter drop-down menu—Click the drop-down arrow and choose an option to define a filter. 
You can restrict the access of a group to the network based on the Software Client source 
address, destination address, or protocol. 


m Inherit check boxes—Select the appropriate check boxes if you want the corresponding 
attributes to be inherited from the default group configuration. If you deselect a check box, 
you must enter or change any corresponding value. 
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Group Database 


Cisco.com 


Cisco VPN 3000 
Series Concentrator 


Client 
Internal 


server __ we 


6 J Group: 
Internet if Training 


Configuration | Quick | IPSec Group 


Select a Group Name and Password to be used by remote IPSec users. The Group Password must be at least 4 
characters long. 


Group Name fraining 
Password a 
Verify a 
Back Continue 


® 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—5-23 


The Configuration>Quick>IPSec Group window enables you to enter a group name or 
username and password. The Software Client is authenticated by group to determine the 
Concentrator access and usage rights of that group. To do so, you must enter information in the 
following fields: 


= Group Name—Enter a unique name for this specific group. The maximum is 32 characters. 
m Password—Enter a unique password for this specific group. The minimum is 4 characters, 
and the maximum is 32 characters. The field displays only asterisks. The password is the 


IKE pre-shared key. 


m Verify—Re-enter the group password to verify it. The field displays only asterisks. 
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Admin Password 


Cisco.com 


We strongly recommend that you change the password for user admin. 


Password |“ 
Verify 


Back Continue | 
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The window shown in the figure is the last Quick Configuration window. It is used to change 
the administrative password. Enter information in the following fields to change the 
administrative password: 


m= Password—Enter or edit the unique password for this administrator. The maximum number 
of characters is 31. The field displays only asterisks. 


Caution The default password that Cisco supplies is the same as the username. it is strongly 
recommended that you change this password in a production environment. (Do not change 
the password in the classroom environment.) 


m Verify—Re-enter the password to verify it. The field displays only asterisks. 
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In-Depth Configuration Information 


The previous topic explained how to quickly configure a single IPSec tunnel using Quick 
Configuration. This topic explains how to configure or modify IKE, group, and mode 
configuration parameters. 


Authentication 


Cisco.com 


Concentrator 


Pa authentication ~~, 


Internal 
server 


Group: 


eo Training 


~~ Network 


Ok 
(Xauth) 


Cisco VPN Client Cisco VPN Client 
(2.5) (3.0 or higher) 
¢ IKE Phase 1 ° IKE Phase 1 
complete  Xauth 


* Xauth - IKE Phase 1 
complete 


There are two types of authentication in the VPN network: 


= Concentrator authentication—Used to set up user rights and privileges as they relate to the 
Concentrator (for example, hours of operation, simultaneous logins, filters, and inactivity 
timeout). 


m Network authentication—Used to control access to the corporate network. Corporations 
typically require a secondary level of authentication before allowing users onto their 
networks—network authentications. An end user is prompted for a username and password, 
which in turn is verified by an authentication server. Only after being authenticated is an 
end user granted access to the corporate network. Network authentication is referred to as 
Extended Authentication (Xauth). 


With the original Cisco 2.5 client, Xauth was performed after IKE Phase 1 was completed. 
Beginning with the Cisco VPN 3.0 Client, Xauth is performed during IKE Phase 1. In order for 
the Software Client to talk to the Concentrator, the correct IKE proposals must be defined for 
each Cisco VPN Client. 
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The type of Software Client resident on the remote PC is identified in the vendor identification 
field of an IKE message. The IKE proposal on the Concentrator must match the requirements of 
the Software Client. 
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Activate IKE Proposal 


Cisco.com 


Add, delete, priotitize, and configure IKE Proposals. 


Select an Inactive Proposal and click Activate to make it Active, or click Modify, Copy ot Delete as appropriate 
Select an Active Proposal and click Deactivate to make it Inactive, of click Move Up or Move Down to change its priority. 
Click Add or Copy to add a new Inactive Proposal. IKE Proposals are used by Security Associations to specify IKE parameters 


3002, 3.x or Active bnactive 
. P als Actio: P als 
4.x Client area ve er or 
CiscoVPNClient3DES-MD5 IKE-3DES-SHA-DSA, 


IKE-3DES-MD5 << Activate 


IKE-3DES-MD5-DH1 


IKE-3DES-MD5-RSA-DH1 


Deactivate >>| |'KE-DES-MD5-DH? 


IKE-DES-MD5 ee |CiscoVPNClient-3DES-MD5-RSA 
; IKE-3DES-MD5-DH? Fevsuy CiscoVPNClient3DES-SHA-DSA 
Certicom IKE-3DES-MD5-RSA “| |ciscoVPNClient-3DES-MD5-RSA-DH5 
. CiscoVPNClient-3DES-MD5-DH5 Move Down | |CiscoVPNClient-3DES-SHA-DSA-DH5 
client CiscoVPNClient AES128-SHA ———~ |CiscoVPNClientAES256-SHA 
IKE-AES128-SHA Add IKE-AES256-SHA 
Madify 


Copy 


Delete 
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The Concentrator can handle several types of remote clients: the Cisco VPN 3.0 or higher 
Client, the Cisco VPN 2.5 Client, and the Certicom client. Before the Concentrator can 
interface with these clients, you must make sure that the appropriate IKE proposal is 
configured, activated, and prioritized. 


In remote access connections, the Software Client sends IKE proposals to the Concentrator. 
The Concentrator functions only as the responder. As the responder, the Concentrator checks 
the active IKE proposal list, in priority order, to see if it can find a proposal that matches the 
parameters in the proposed Security Association (SA) of the Software Client. If a match is 
found, the tunnel establishment continues. If no match is found, the tunnel is torn down. 


The IKE proposals are as follows: 


m™ For the Cisco VPN 3.0 Client or higher, use any of the proposals that start with 
CiscoVPNClient. The default is CiscoVPNClient-3 DES-MDS. The Cisco VPN 3.0 Client 
or later proposal must be listed first under the Active Proposals list, or your Cisco VPN 
Client will not connect. 


m For the Cisco VPN 2.5 Client, use any of the IKE proposals except the IKE proposals that 
end in DH7. 


m™ For the Certicom client, use a proposal that ends in Diffie Hellman group 7 (DH7). The 
Certicom client requires a proposal that supports DH7. 


Each IKE proposal in the IKE Proposals window is a template. The parameters assigned to the 
template are applied to the individual remote connection. 
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Check IKE Proposal 


a | Cisco.com 


Modify a configured IKE Proposal 


Proposal Name |Cisco\VPNClient-3DES- Specify the name of this IKE Proposal. 


Authentication Mode | Preshared Keys (CAUTH) | Select the authentication mode to use 
Authentication Algorithm |}4D5/HMAC-128 ¥ Select the packet authentication algorithm to use 
Encryption Algorithm | 3DES-168 + Select the encryption algorithm to use. 


Diffie-Hellman Group | Group 2 (1024-bits) + Select the Diffie Hellman Group to use. 
Lifetime Measurement | Time ¥ Select the lifetime measurement of the IKE keys. 


Data Lifetime |10000 Specify the data lifetime in kilobytes (KB). 
Time Lifetime |86400 Specify the time lifetime in seconds. 


Apply Cancel 
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As described in the previous topic, individual IKE templates were displayed under the Active 
Proposals column. By selecting an IKE proposal and then clicking Modify, the administrator 
can view or modify the individual parameters of the IKE proposal, or template. Use the 
Configuration>System>Tunneling Protocols>IPSec>IKE Proposals>Modify window to check 
the IKE proposals to make sure that you have the correct IKE parameters for a particular 
Software Client type. 


m Click the Authentication Mode drop-down arrow to choose the proper authentication 
mode: 


—  Pre-shared Keys (Xauth) for Cisco VPN 3.0 Client or later applications 
—  Pre-shared Keys for the Cisco VPN 2.5 Client 
—  Pre-shared Keys with DH7 for Certicom client applications 


™ Click the Diffie-Hellman Group drop-down arrow to choose the correct DH group for 
each Software Client: 


— Group | (768 bits) for Cisco VPN 2.5 Clients using digital certificates 
— Group 2 (1024 bits) for Cisco VPN 2.5 Clients using pre-shared keys 
— Group 5 (1536 bits) for clients using Advanced Encryption Standard (AES) encryption 


— Group 7 (Elliptic Curve Cryptosystem [ECC]) for the Certicom clientClick the 
Encryption Algorithm drop-down arrow to choose the proper encryption algorithm: 
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— DES-56 

— 3DES-168 

— AES-128 

— AES-192 (not supported on either the Cisco VPN Software or Hardware Client) 


— AES-256 
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Group Configuration—ldentit 


| Cisco.com 


/Base 


Service Training 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter a 
new value to override base group values. 


Identity Parameters 


Group [raining SS 
Name! training Enter a unique name for the group. 
Password || eooosecncs Enter the password for the group. 
Neriivyarc Verify the group's password. 
[internal >] External groups are configured on an external authentication server (e.g. RADIUS). 
Typel{ intemal ig Jnternal groups are configured on the VPN 3000 Concentrator's Internal Database. 


Apply Cancel 
ved. 


Within the Configuration>User Management>Groups>Modify Training window, you can view 
or modify individual group parameters. There are seven tabs located under Configuration>User 
Management>Groups>Modify Training: Identity, General, IPSec, Client Config, Client FW, 
HW Client, and PPTP/L2TP. Under each tab, the following information can be configured: 


m Identity tab—You can configure the group name, password, and group authentication 
server type. 


m™ General tab—You can configure access rights, privileges, and protocols. 
m IPSec tab—You can configure the IPSec tunneling parameters. 


m Client Config tab—You can configure the Software Client, Microsoft client, and common 
client parameters. 


m Client FW tab—You can configure the Software Client firewall parameters. 
m= HW Client tab—You can configure the Hardware Client parameters. 


m PPTP/L2TP tab—PPTP and L2TP tunneling parameters. 


The identity parameters can be set as follows: 


m= Group Name field—Enter a unique name for this specific group. The maximum number of 
characters is 32. 
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m Password field—Enter a unique password for this specific group. The minimum number of 
characters is 4 and the maximum is 32. The field displays only asterisks. 


m Verify field—Re-enter the group password to verify it. The field displays only asterisks. 
m Type drop-down menu—Click the drop-down arrow and choose the type of group: 


—  Internal—Use the internal Concentrator authentication server to authenticate groups for 
IPSec tunneling. The internal server is the default selection. 


—  External—Use an external authentication server to verify this group (for example, a 
RADIUS server). 
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Group Configuration—General 
ey Cisco.com 


Parameters 
Attribute ‘Value linherit?| Description 
‘Access Hours||-No Restrictions >] M7 [Select the access hours assigned to this group 


Simultaneous Logins [Enter the number of simultaneous logins for this group. 

‘Minimum Password 

‘Length| 

Allow Alphabetic-| 
Only Passwords 

Idle Timeout 


|Enter the minimum password length for users in this group. Access 


[Enter whether to allow users with alphabetic-only passwords| 


to be added to this group. rights and 
(eninntes) Enter the idle timeout for this group privileges 


aja 


Maximum Connect} 
Time} 


a 


(minutes) Enter the maximum connect time for this group. 


Filter} 
Primary DNS 
Secondary DNS) 
Primary WINS| 
Secondary WINS 


Enter the filter assigned to this group. 
[Enter the IP address of the primary DNS server. 
[Enter the IP address of the secondary DNS server 
[Enter the IP address of the primary WINS server. 
lEnter the IP address of the secondary WINS server. 


aja} 


a 


a 


 PPTP 
WL2TP 
Sec 


Tunneling 
CL2TP over IPSec protocol 


Check to remove the realm qualifier of the username during 
authentication. 


Tunneling Protocols; Select the tunneling protocols this group van connect with 


Strip Realm| [~ 


[Enter the IP sub-network to which users within this group 
Iwill be assigned when using the concentrator as a DHCP 
Proxy. 


DHCP Network| 
Scope 
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The General tab can be broken down into three sections: the top section defines access rights 
and privileges, the center section is for Windows Internet Name Service (WINS) and DNS 
information used by the Software Client, and the bottom section defines which tunneling 
protocols are supported by this group. Identity parameters can be set as follows: 


m Access Hours drop-down menu—Click the drop-down arrow and choose the hours when 
group users can access the Concentrator: 


— No Restrictions—No restrictions on access hours 
— Never—No access at any time 
— Business Hours—Access from 9 a.m. to 5 p.m., Monday through Friday 
m Simultaneous Logins field—Enter the number of simultaneous logins that group users are 
permitted. The minimum is | and the default is 3. Although there is no maximum limit, 


allowing several could compromise security and affect performance. 


m= Minimum Password Length field—Enter the minimum number of characters for group user 
passwords. The minimum is 1, the default is 8, and the maximum is 32. 


m Allow Alphabetic-Only Passwords check box—Select the check box to allow user 


passwords with alphabetic characters only. To maintain security, it is strongly 
recommended that you do not allow such passwords. 
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m= Idle Timeout field—Enter the group idle timeout period in minutes. If there is no 
communication activity on the connection in this period, the system terminates the 
connection. 


m= Maximum Connect Time field—Enter the group maximum connection time in minutes. At 
the end of this time, the system terminates the connection. 


m Filter drop-down menu—Filters can be used to restrict a group access to the network based 
on source address, destination address, and protocol. 


Note The PC will overwrite its current values with information from the following fields. 


m Primary DNS field—Enter the IP address of the primary DNS server for this group. 

m Secondary DNS field—Enter the IP address of the secondary DNS server for this group. 

m Primary WINS field—Enter the IP address of the primary WINS server for this group. 

m Secondary WINS field—Enter the IP address of the secondary WINS server for this group. 


m SEP Card Assignment check boxes (depends on model)—It is recommended that you 
leave all four check boxes selected (for redundancy). 


m Tunneling Protocols check boxes—Select the check boxes for the tunneling protocols 
that the user Software Clients can use. (Although the Concentrator can support all four 
protocols simultaneously, in the lab exercise for this lesson, you will remove the check 
from the PPTP and L2TP check boxes. Select IPSec only.) 


m= Strip Realm check box—TIf you select this check box, authentication is based on the 
username alone. The realm qualifier at the end of the username is removed (for example, 
“service” is stripped from “bob@service’’). If this check box is not selected, authentication 
is based on a full string (for example, username@realm). 


m= DHCP Network Scope field—Enter the IP subnetwork that the DHCP server should assign 


to users in this group; for example, 200.0.0.0. DHCP Network Scope indicates to the DHCP 
server the range of IP addresses from which to assign addresses to users in this group. 
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The IPSec tab enables you to configure IPSec parameters that apply to this group. The window 
can be divided into two sections: IPSec and remote access parameters. IPSec parameters can be 
set as follows: 


m IPSec SA drop-down menu—Click the drop-down arrow and choose the IPSec SA 
assigned to the IPSec clients for this group. During tunnel establishment, the IPSec client 
and server negotiate an SA that governs authentication, encryption, encapsulation, key 
management, and so on. View or modify IPSec SAs in the Configuration>Policy 
Management>Traffic Management>Security Associations window. 


m IKE Peer Identity Validation drop-down menu—This option applies only to tunnel 
negotiations based on digital certificates. 


m IKE Keepalives check box—Select this check box to enable the feature. (IKE keepalives 
are enabled by default.) This feature allows the Concentrator to monitor the continued 
presence of a remote peer and to report its own presence to that peer. If the peer becomes 
unresponsive, the Concentrator initiates removal of the connection. Enabling IKE 
keepalives prevents hung connections when rebooting either the host or the peer. For this 
feature to work, both the Concentrator and its remote peer must support IKE keepalives. 
The following peers support IKE keepalives: 


— Cisco VPN Client (Version 3.0) 
— Cisco VPN Client (Version 2.x) 


— Cisco VPN Hardware Client 
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— Concentrators (with IKE support) 
— Cisco IOS software 
— Cisco PIX Firewall 


= Tunnel Type drop-down menu—Click the drop-down arrow and choose the remote access 
tunnel type. 
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Dead peer detection (DPD) messages are used to enable VPN devices to detect tunnel failure on 
the devices located at the other end of a tunnel (for example, when you reboot one device and 
lose an Internet connection). A worry metric determines how often a DPD message is sent in 
the absence of data received from the IKE peer. When data is received, the worry timer is reset. 
If the worry timer expires, a DPD message is sent. The worry timers are as follows: 


m Inthe Cisco VPN 3000 Series Concentrator Version 3.0 or later Software Client and 
Hardware Client, the worry timer is set for 20 seconds. 


m= Inthe Concentrator, the worry timer is set for 5 minutes. 


If you are configuring a group of mixed peers, and some of those peers support IKE keepalives 
while others do not, enable IKE keepalives for the entire group. During IKE negotiation, each 
of the Software Clients will identify whether DPD messages are supported. Both ends must 
support the feature. The feature will have no effect on the peers that do not support it. 


Note To reduce connectivity costs, disable IKE keepalives if this group includes any Software 
Clients connecting via ISDN lines. ISDN connections normally disconnect if idle, but the IKE 
keepalive mechanism prevents connections from idling out and, therefore, from 
disconnecting. 
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Remote access parameters include group lock, user authentication, IP compression, and mode 
configuration parameters. The parameters are configured as follows: 


m Group Lock check box—Selecting this check box locks users into a specific group. (For 
example, RADIUS allows you to lock specific users to a group.) You can lock a user to a 
group based on the Organizational Unit (OU) of a certificate or by using the RADIUS Class 
attribute OU = group name. For example, according to the RADIUS server, Joe is a 
member of the Training group. If Joe tries to log in as a member of the IS group, which has 
different access rights, the connection fails. 


= Authentication drop-down menu—In the Concentrator, remote users are authenticated 
twice. This parameter pertains to the private network authentication. It determines how 
users within the group are authenticated and whether a Windows NT, SDI, or RADIUS 
server will authenticate them. 


m Authorization Type drop-down menu—lIf members of this group need authorization in 
addition to authentication, you can choose an authorization method. The following options 
are available: 


— None—Do not authorize users in this group. 


— RADIUS—Use an external RADIUS authorization server to authorize users in this 
group. 


— Lightweight Directory Access Protocol (LDAP)—Use an external LDAP authorization 
server to authorize users in this group. 
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Authorization Required check box—If you are using authorization, you can make it 
mandatory or optional. 


DN Field drop-down menu—Tf users in this group are authenticating by means of digital 
certificates and require LDAP or RADIUS authorization, you can choose which 
distinguished name (DN) field from the certificate uniquely identifies the user to the 
authorization server. 


IPComp drop-down menu—IP compression runs inside IPSec. Outbound data is 
compressed and then encrypted. At the remote end, data is decrypted and then 
decompressed. The IP compression uses fewer bytes per transmission. On a low-speed line, 
fewer bytes to transmit equates to faster transmission of the message. For example, you 
might put all modem users into a group and enable IP compression, which should speed up 
the transmissions. However, there is a processing penalty for compression. At higher 
speeds, 64 Kbps and above, IP compression tends to slow transmission due to the 
processing delays, compression, and decompression. Do not enable IP compression for 
high-speed users. Doing so would slow the performance of the PC and Concentrator. 


Reauthentication on Rekey check box—When this check box is selected, the Concentrator 


prompts the user for identification and a password whenever a rekey occurs. This feature is 
disabled by default. 


Mode Configuration check box—Selecting this check box enables the Concentrator to push 
information to the Software Client. 
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Policy vn choose to send traffic to addresses in this list to the client's LAN, Send all 

© Only tunnel networks in the ist lother traffic through the tunnel. NOTE: This setting only applies to the Cisco 


Common 
. Pi cient 
client Split Twmeling oat nowomiat Irunnel networks the in Ist: Sen calico adsesses inthis it through the 


Neiwork List| |tunnel, Send all other traffic to the client's LAN. 
parameters a Ester the deft domain name given to users ofthis group 


Split DNS 
‘Names 


[Enter the set of domains, separated by commas without spaces, to be resolved 
iizuuphs Ue Split Tucaae 


[cisco.com 
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Most of the configuration issues in a remote access network originate at the remote PC. There 
are a large number of parameters to be programmed on the remote user PC. Not everyone could 
perform the needed changes. The Internet Engineering Task Force (IETF) IPSec Working 
Group Internet solved the issues by using mode configuration. The end user or IT department 
loads a minimum IPSec configuration in the end-user PC. During IPSec tunnel establishment, 
the Concentrator pushes the remaining information to the PC. 


The administrator can program this information under the Configuration>User 
Management>Groups>Client Config tab. The Client Config tab has three sections: one for 
parameters specific to Cisco Clients, one for Microsoft client parameters, and one for common 
client parameters. 
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Client Configuration Parameters 
Cisco Client Parameters 
Inherit? | Description 


[Enter the banner for this group. Only software clients see the banner. 


eon [~ ICheck to allow the IPSec client to store the password locally. 


[Check to allow a client to operate through aNAT device using UDP 
lencepsulation of ESP. 

[Enter the UDP port to be used for IPSec through NAT (4001 - 49151, except 
[port 4500, which is reserved for NAT-T). 


IPSec over UDP} [~ 


IPSec over UDP) 
Port!!! 2900 


Use Client Configured List 


© Select a method to use or disable backup servers. 

© Enter up to 10 IPSec backup server eddresses/nemes starting from high 
pronty to low. 

« Enter each IPSec backup server address/name on a single line. 


During IPSec tunnel establishment, the Concentrator pushes the Software Client information to 
the PC. These parameters include a login banner, split tunneling, IPSec over UDP, and so on. 


Cisco VPN Client parameters can be set from the Client Config tab as follows: 


m= Banner field—When a Software Client logs into the VPN, the banner that you enter in this 
field is displayed. It can be up to 510 characters and can consist of multiple lines of text 
instead of a single line (the text wraps). Enter a period (.) in the CLI to finish the entry and 
set the banner. If you enter more than 510 characters, the Software Client will see an error 
during login. 


Note Each line break uses two characters. 


Allow Password Storage on Client check box—Password storage on the Client is not 
recommended for security purposes. 


m IPSec over UDP check box—IPSec packets are wrapped in UDP so firewalls and routers 
can perform Network Address Translation (NAT). 


m IPSec over UDP Port field—To enable IPSec over UDP, a UDP port number must be 
assigned. 


m IPSec Backup Servers drop-down menu—You can enable a Hardware Client to connect to 
the central site when its primary central-site Concentrator is unavailable. Configure backup 
servers for a Hardware Client either on the Hardware Client or on a group basis at the 
primary central-site Concentrator. If you configure backup servers on the central-site 
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Concentrator, that Concentrator pushes the backup server policy to the Hardware Client in 
the group. 
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There are three tunneling options available to the network administrator: tunnel everything, 
tunnel everything except local LAN traffic, and split tunneling. The administrator must decide 
which option is correct for each group of remote Software Clients: 


m Tunnel everything—Once an IPSec tunnel is established, all traffic is encrypted and sent 
down the tunnel. 


m Tunnel everything except local LAN traffic—Everything is encrypted and sent through the 
tunnel except traffic destined for the local LAN. There are occasions when the remote user 
needs to print out spreadsheets locally. For this group of users, tunneling everything except 
local LAN traffic is the correct option. 


m= Split tunneling—A remote user can simultaneously send clear text to a printer, download 
images from a web site, and send an encrypted report to headquarters, for example. 


The default is to tunnel everything. 
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@ Tunnel everything Select the method and network list to be used for Split Tunneling, 
‘Tunnel Everything: Send all traffic through the tunnel 

Split Tunneling [7 Allow the networks in list to bypass the Allow the networks in the list to bypass the tumel: The VPN Client may 

Policy| tunnel choose to send traffic to addresses in this list to the client's LAN. Send all 
C Only tunnel networks in the list other traffic through the tunnel, NOTE: This setting only applies to the Cisco 

VPN Client. 

Split Tunneling | ~———___ ‘Tunnel networks the in list: Send traffic to addresses in this list through the 

Network List tunnel. Send all other traffic to the client's LAN. 


Enter the default domain name given to users of this group 
SplitDNS rs com [- _ [Enter the set of domains, separated by commas without spaces, to be resolved 
Names through the Split Tunnel. 


Cancel 
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After the VPN tunnel is launched, all traffic is directed through the VPN tunnel. The VPN 
tunnel everything option allows only IP traffic to and from the secure gateway, prohibiting any 
IP traffic to and from resources on a local network (for example, printer, fax, and shared files 
on another system). While the IPSec tunnel is established, any Internet-bound traffic is forced 
through the tunnel to the central site. 


Select the Group>Client Config tab to enable the tunnel everything option. Within this tab, 
select the Tunnel everything radio button within the Split Tunneling Policy row. 
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it Tunnel 
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Select the method and network list to be used for Split Tunneling, 
‘Tunnel Everything: Send all traffic through the tunnel. 

[Allow the networks in the list to bypass the tunnel: The VPN Client may 
choose to send traffic to addresses in this list to the client's LAN. Send all 
other traffic through the tunnel. NOTE: This setting only applies to the Cisco 
VPN Client, 

‘Tunnel networks the in list: Send traffic to addresses in this list through the 
tunnel. Send all other traffic to the client's LAN 


Enter the default domain name given to users of this group 


Step 1 


Step 2 


Default Domain _......_] 
Name! 


Split DNS isco.com 
Names| 
Apply Cancel 


Enter the set of domains, separated by commas without spaces, to be resolved 
through the Split Tunnel 


The local LAN access option, on the other hand, provides access to resources on a local LAN 
while the VPN tunnel is established. The local LAN addresses are pushed to the Software 
Client. These IP addresses are added to the access control list (ACL) of the Software Client 
driver. These bypass addresses route ahead of the VPN tunnel encryption algorithm. Any data 


bound for, or received from, the addresses specified in the mode configuration message is sent 
or received in the clear. This practice allows access to the local LAN while the IPSec tunnel is 


running. All other traffic is encrypted and forwarded to the central site. For security purposes, 
the user has the ability to disable local LAN access when using an unsecured local network (for 


example, in a hotel). 


Two steps are required to configure the option: 


Enable the feature. Select the Allow the networks in the list to bypass the tunnel radio button 


within the Split Tunneling Policy row. 


Supply the referenced IP address list. Choose VPN Client Local LAN (Default) from the Split 


Tunneling Network List drop-down menu. 
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Modify a configured Network List. Click on Generate Local List to generate a network list based on routing entries on the Private interface. 


List Name |VPN Client Local LAN (Default) Name of the Network List you are adding. The name must be unique. 


0.0.0.0/0.0.0.0 


+ Enter the Networks and Wildcard masks using the following format: n.n.n.w/nn.nn (e.g 
10.10.0.0/0.0,255.255), 

+ Note: Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has 
1s in bit positions to ignore, Os in bit positions to match. For example, 10.10.1.0/0.0.0.255 = all 
10.10. 1.nnn addresses. 

« Each Network and Wildcard mask pair must be entered on a single line 

+ The Wildcard mask may be omitted if the natural Wildcard mask is to be used 


Network List 


F fr 


Apply | Cancel | Generate LocalList | 
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A local LAN network address list is required for the local LAN option. Go to the 
Configuration>Policy Management>Traffic Management>Network Lists window to configure 
the LAN address. The address list pushed to the Software Client is 0.0.0.0/0.0.0.255. This is a 
special case. It directs the Software Client to interpret the network address or subnet mask of 
the LAN interface over which the VPN connection is being made as the local LAN address. 
Route all locally addressed LAN packets in clear text. The 0.0.0.0/0.0.0.255 network address 
list is referred to as the Software Client LAN (default) list. 


In the example in the figure, the Software Client resides on the 192.168.1.0 network. Having 
received a 0.0.0.0/0.0.0.255 network list, the Software Client routes all 192.168.1.0 traffic in 
clear text. All other traffic is encrypted and sent down the tunnel. 
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Split tunneling enables remote users to access Internet networks without requiring them to 
tunnel through the corporate network. Before split tunneling is enabled, all traffic originating 
from the Software Client is encrypted and routed through the secure tunnel. This traffic 
includes both secure and Internet browsing traffic. The secure traffic is terminated, while 
Internet traffic is routed back out to the Internet. A large percentage of the corporate backbone 
bandwidth is used for redirected web browsing traffic from remote users. 


Split tunneling addresses the redirect issue, because split tunneling routes secure, encrypted 
traffic through the tunnel. Nonsecure traffic (for example, web browsing) is sent in the clear. 
The ISP can route the traffic accordingly (for example, secure traffic goes to the corporate 
network, and web browsing goes to the ISP). 
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Common Client Parameters 

Select the method and network list to be used for Split Tunneling, 

‘Tunnel Everything: Send all traffic through the tunnel. 
Allow the networks in list to bypa e Allow the networks in the list to bypass the tunnel: The VPN Client may 
tunn choose to send traffic to addresses in this list to the client's LAN. Send all 
other traffic through the tunnel. NOTE: This setting only applies to the Cisco 
VPN Client. 
Split Tunneling ‘Tunnel networks the in list: Send traffic to addresses in this list through the 

Network List pod Tinesvanclist o tunnel Send all other traffic to the client!s LA! 


© Tunnel everything 


@ Only tunnel networks in the list 


Doriult = nn Enter the default domain name given to users of this group 


Split DNS| =, [- _ [Enter the set of domains, separated by commas without spaces, to be resolved 
Names through the Split Tunnel. 


Cancel 
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The Concentrator pushes specific IP addresses to the Software Client to implement split 
tunneling. Traffic bound for one of these addresses is encrypted and sent to the Concentrator. If 
the IP address is different from the pushed addresses, the message is sent in the clear and, 
therefore, is routable by the ISP. 


Configuring split tunneling requires two steps: 


Step 1 Enable split tunneling by clicking the Only tunnel networks in list radio button within the 
Split Tunneling Policy row. 


Step 2 Choose the appropriate list from the Split Tunneling Network List drop-down menu. This menu 
presents a predefined list of secure network addresses. 
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Configure and add a new Network List. Click on Generate Local List to generate a network list based on routing entries on the Private interface. 


List Name |Pod 1 network list Name of the Network List you are adding. The name must be unique. 


10.0.1.0/0.0.0.255 

+ Enter the Networks and Wildcard masks using the following format: nnn.n/nnnn (e.g 
10.10.0.0/0.0.255.255) 

+ Note: Enter a wildcard mask, which is the reverse of a subnet mask. A wildcard mask has 
1s in bit positions to ignore, Os in bit positions to match, For example, 10.10, 1.0/0.0,0,255 = all 
10.10.1.nnn addresses 

* Each Network and Wildcard mask pair must be entered on a single line 

+ The Wildcard mask may be omitted if the natural Wildcard mask is to be used 


Network List 


La} of 
Add Cancel Generate Local List 
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The Concentrator pushes specific IP addresses to the Cisco VPN Client. Traffic bound for one 
of these addresses is encrypted and sent to the Concentrator. These addresses are defined under 
Configuration>Policy Management>Traffic Management-Network Lists. In the List Name 
field, enter a name for the list. In the Network List field, supply the network and wildcard 
mask. In the example in the figure, the administrator wants to send clear text to the Internet and 
local printer. The administrator also wants to send encrypted traffic to the headquarters: the 
10.0.1.0 network. In the Network List field, the administrator defines a network list name (Pod 
1 network list) and configures the private network IP address and wildcard mask 
(10.0.1.0/0.0.0.255). As a result, any traffic bound for a host on the 10.0.1.0 network is 
encrypted and sent down the IPSec tunnel. All other traffic is sent in plain text. 
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Split DNS is used in split-tunneling connections. The Software Client will resolve whether a 
DNS query packet is to be sent in clear text or is to be encrypted and sent down the tunnel. If 
the packet is encrypted and sent down the tunnel, a corporate DNS server resolves the DNS 
query. Clear text DNS requests are resolved by ISP-assigned DNS servers. 


The client will receive a comma-delimited list of split-DNS names from the Concentrator via 
mode configuration. When the Software Client receives a DNS query packet, the domain name 
is compared and sequentially checked against the split-DNS names. Case-insensitive domain 
name comparison will start at the end of each domain name string and continue toward the 
beginning of each string, resulting in a match or no match. Query packets passing the 
comparison will have their destination IP address rewritten and tunneled using the primary 
DNS IP address configured on the concentrator. As an example, the query bob.cisco.com is 
compared against the split-DNS name of cisco.com and results in a match. The cisco.com 
portion of bob.cisco.com matches the split-DNS string of cisco.com. The bob.cisco.com DNS 
query is encrypted and sent to the primary DNS server. The primary DNS server will resolve 
the IP address of bob.cisco.com. Failover in the case of an unreachable primary split-DNS 
server will result in the secondary split-DNS server being used to resolve further queries. 
Packets not matching the split-DNS list will pass through the client untouched and transmitted 
in clear text. As an example, the query news.com, when compared against the split-DNS name 


cisco.com, results in a mismatch. The news.com DNS query is sent in clear text. The ISP- 
assigned DNS servers will resolve the IP address. 
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Common Client Parameters 
© Tunnel everything [Select the method and network list to be used for Split Tunneling, 
Tunnel Everything: Send all traffic through the tunnel. 

[f Allow the networks in list to bypass t Allow the networks in the list to bypass the tumel: The VPN Client may 
choose to send traffic to addresses in this list to the client's LAN. Send all 
other traffic through the tunnel. NOTE: This setting only applies to the Cisco 
VEN Client. 


Split Twmeling | ost netwaklict [-_[Tunmel networks the in list: Send traffic to addresses in this list through the 
Network List|! tunnel Send all other traffic to the client's LAN 
Petals — Enter the default domain name given to users of this group | 


Split DNS [-_ [Enterthe set of domains, separated by commas without spaces, to be resolved 
Names through the Split Tunnel. 


Cancel 


@ Only tunnel networks in the list 
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In the figure, the corporate DNS server will resolve all cisco.com DNS name requests. The 
ISP-assigned DNS server resolves all clear text DNS requests. Complete the following five-step 
process to configure split DNS: 


Step 1 Define a list of secure networks. The network list is defined under Configuration>Traffic 
Management>Policy Management>Network Lists. 


Step 2 Configure the Concentrator for split tunneling from the Configuration>User Management> 
Groups>Client Config tab. Click the Only tunnel networks in the list radio button to enable 
split tunneling. 

Step 3 From the Configuration>User Management>Groups>Client Config tab, select the newly 
defined network list from the Split Tunneling Network List drop-down menu. 


Step 4 From the Configuration>User Management>Groups>Client Config tab, enter the names of the 
corporate DNS servers in the Split DNS Names field (for example, cisco.com). Use commas, 
without spaces, to separate the names for multiple entries. 


Step 5 From the Configuration>User Management>Groups>General tab, define the primary and 
secondary DNS server IP addresses. The primary and secondary DNS servers resolve the 
encrypted DNS queries. 
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DNS servers were originally used in a static environment. As a new host was added to the 
network, an administrator would add the host to the DNS database. When remote hosts 
dynamically attach and detach from the network, static remote host information updates to DNS 
database become impossible. The dynamic DNS (DDNS) feature is often used in networks to 
coordinate hostname information between DHCP and DNS servers in an attempt to accurately 
reflect the current network configuration. DHCP clients and servers use dynamic updates to 
send updated remote hostname information from the DHCP client to the DHCP server. The 
DHCP server forwards the hostname to the DNS server. The DDNS feature enables DNS 
servers to accept hostname and IP address updating information. 


Prior to Version 3.6, the Software Client did not supply its hostname to the DHCP server. The 
DDNS feature was not supported. In Version 3.6 and above, the Software Client was modified 
to send its hostname to the Concentrator as part of mode configuration messages. The 
Concentrator forwards the Software Client hostname to the DHCP server. The DHCP server 
forwards the information to the DNS server. This practice enables the DNS server to 
dynamically populate its records. The DDNS feature applies to Software Client connections 
only when a DHCP server assigns the Software Client IP address. 
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Mode Configuration 
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server 
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Additional information passed to the Software Client includes WINS and DNS IP address 
information and virtual IP addresses. The WINS and DNS information is programmed in the 
Groups>General tab. The virtual IP address and network mask originate at the Concentrator, a 
DHCP server, or a RADIUS server. The virtual IP address source is configurable in the 


Configuration>System>Address Management window. 
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Modifying Groups 
eee Cisco.com 


Save) 


This section lets you configure groups. A group is a collection of users treated as a single 
entity. 


Click the Add Group button to add a group, or select a group and click Delete Group or 
Modify Group. To modify other group parameters, select a group and click the appropriate 
button. 


Actions Current Groups Modify 


Authentication Servers 
Authorization Servers 
Add Group 
Accounting Servers 
Modify Group 
Address Pools 
Delete Gi 
Hearn Glen Updete 
Bandwidth Assignment 


training (Internally Configured) 
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Until Version 2.5 of the Cisco VPN 3000 Series Concentrator software, the authentication 
servers, address pools, and accounting servers were defined on a global basis. In later versions, 
the administrator can define specific attributes on a group-by-group basis. For example, one 
group can use RADIUS, while another group uses Windows NT. 


Note Quick Configuration enables you to define attributes only on a global basis. 
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— 10.0.30.50-80 


In Version 2.5 of the Concentrator, you set up global parameters, such as address pools, 
authentication, IP addressing, and so on. All Software Clients access the global parameters. 
Global parameters do not allow for customization. 


Later versions allow you to set authentication and assign IP addressing on a group-by-group 
basis. For example, if you have remote users using different clients (Cisco VPN 2.5 Client, 
Cisco VPN 3.0 Client, and Certicom clients), you can program different groups for each client 
type. This feature enables the administrator to define different address pools, authentication 
server types (RADIUS, NT domain, SDI, and internal), and authentication servers for each 
group. If you run out of address pools under a group setting, or if the Concentrator cannot 
contact the authentication server for the group, the Concentrator defaults to global settings. 


The figure shows three groups: HR, Finance, and Engineering. Each group has a different range 
of IP addresses and authentication servers. When an HR Software Client tunnels into the 
Concentrator, it is authenticated by a Windows NT server and assigned an address from the 
global IP address pool. When an Engineering Software Client establishes a tunnel to the 
Concentrator, it receives an IP address from a group pool, 10.0.20.60—90, and is authenticated 
by the RADIUS 2 server. Finance Software Clients receive attributes according to their group 
parameters. 
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Types of Authentication 
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Save Neededby) 
This section lets you configure parameters for servers that authenticate users 
You should have a properly configured RADIUS, NT Domain, SDI or Kerberos/Active 
Directory server to access, or you can configure the internal server and add users to the 


internal database. 


Click the Add button to add a server, or select a server and click Modify, Delete, Move, 
or Test. 


Authentication 
User Servers Actions 
authentication 10.0.1.10 (NT Domain) 
Internal (Internal) 


Group 
authentication 


Software Clients are authenticated twice: once by the Concentrator and once by an 
authentication server. In the example in the figure, the Software Client is first authenticated 
against the internal group database of the Concentrator. Next, a Windows NT server, 10.0.1.10, 
authenticates the Software Client before access to the private network is allowed. 


The Software Client authentication can be assigned by group. A different server type (NT, SDI, 
or RADIUS) can conceivably authenticate each group. When the group needs to be 
authenticated, the Concentrator goes down the authentication server list until it finds the first 
instance of the assigned authentication server. The Concentrator then tests for communication 
with that server. If communication is good, Software Client authentication is determined. If the 
Concentrator cannot communicate with the first server, it will go down the list to the next 
instance of that server type and retest for communications. The administrator can reorder the 
priority of the server list by selecting a server under the Authentication Server window and 
clicking the Move Up or Move Down buttons. The administrator can also check the 
communications between the Concentrator and the server. By clicking the Test button under 
the Actions column, the administrator can test the ability of the Concentrator to reach a specific 
server. 
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Password [""] 


® Authentication Successful 


Continue | 
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In a remote access network, there are three main trouble spots: at the Cisco VPN Client, 
between the Software Client and the Concentrator, and between the Concentrator and the 
authentication server. Using the Test button, you can check communication between the 
Concentrator and the authentication server. Enter the Software Client username and password 
for the authentication server in the corresponding fields to complete a user authentication test. 
Click OK. The Concentrator attempts to log into the authentication server. If successful, an 
Authentication Successful message displays. If unsuccessful, an Authentication Failed message 
displays. The authentication test can verify communication between the Concentrator and the 
authentication server. 
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IPSec Fragmentation 
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Configuring Ethernet Interface 2 (Public). 


General Parameters 


Sel | Attribute 


Value 


Description 


fe) [Disabled 


Select to disable this interface. 


c pa Client 


Select to obtain the IP Address, Subnet Mask and Default 
Gateway via DHCP 


@ |Static IP 


‘Addressing 


IP Address}}192.168.1.5 
Subnet Mask|/255,255.255.0 


Select to configure the IP Address and Subnet Mask. Enter the 
IP Address and Subnet Mask for this interface. 


Public Interface| [V 


MAC Address}00.90.44.00.17.49 


Filter} 2. Public (Default) 
Speed|| 10/100 auto + 
Duplex! Auto a 


Check to make this interface a "public" interface 
The MAC address for this interface. 
Select the filter for this interface 


Select the speed for this interface 


Select the duplex mode for this interface 


MTU}}1500 


Enter the Maximum Transmit Unit for this interface (68 - 1500). 


Public Interface IPSec 
Fragmentation Policy| 


© Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission 


© Fragment prior to IPSec encapsulation with Path MTU Discovery (CMP) 


© Fragment prior to IPSec encapsulation without Path MTU Discovery (Clear DF bit) 


Apply Cancel 


IPSec fragmentation policy specifies how to treat packets that exceed the MTU setting when 


tunneling traffic through the public interface. This feature provides a way to handle cases where 
a router or NAT device between the Concentrator and the client rejects or drops IP fragments. 


For example, suppose a client wants to run the FTP GET command from an FTP server behind 
the Concentrator. The FTP server transmits packets that when encapsulated would exceed the 


Concentrator MTU size on the public interface. IPSec fragmentation is not configurable from 


the Quick Configuration menu. It can be configured from Configuration>Interface menu. The 


following options determine how the Concentrator processes these packets: 


= Do not fragment prior to IPSec encapsulation; fragment prior to interface transmission— 


The Concentrator encapsulates all tunneled packets. After encapsulating the packets, the 
Concentrator fragments packets that exceed the MTU setting before transmitting them 
through the public interface. This policy is the default for the Concentrator. This option 
works for situations where fragmented packets are allowed through the tunnel without 


hindrance. In the FTP example, large packets are encapsulated and then fragmented at the 


TP layer. 


m Fragment prior to IPSec encapsulation with Path MTU Discovery (ICMP)—The 
Concentrator fragments tunneled packets that would exceed the MTU setting during 
encapsulation. For this option, the Concentrator drops large packets that have the Don’t 


Fragment (DF) bit set and sends an ICMP message, “Packet needs to be fragmented but DF 


is set,” to the packet initiator. The ICMP message includes the maximum MTU size 


allowed. The Path MTU Discovery message means that an intermediate device (in this case 


the Concentrator) informs the source of the MTU permitted to reach the destination. If a 
large packet does not have the DF bit set, the Concentrator fragments prior to 


encapsulating, thus creating two independent nonfragmented IP packets, and transmits them 
out the public interface. This policy is the default for the Hardware Client. In this example, 
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the FTP server may use Path MTU Discovery to adjust the size of the packets it transmits to 
this destination. 


m Fragment prior to IPSec encapsulation without Path MTU Discovery (Clear DF bit)—The 
Concentrator fragments tunneled packets that exceed the MTU setting before encapsulating 
them. If the DF bit on these packets is set, the Concentrator clears the DF bit, fragments the 
packets, and then encapsulates them. This action creates two independent nonfragmented IP 
packets leaving the public interface and successfully transmits these packets to the peer site 
by turning the fragments into complete packets to be reassembled at the peer site. In this 
example, the Concentrator overrides the MTU and allows fragmentation by clearing the DF 
bit. 
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Configuration of the Cisco VPN Software Client 
for Windows 


This topic explains how to configure and use the Cisco VPN Software Client for Windows on 
the Concentrator. 


Cisco VPN Software Client for 


Windows 
aan | Cisco.com 


& ¥PN Client - ¥ersion 4.0.1 (Rel) 7 =/0) x! 


Connection Entries Status Certificates Log Options Help 
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BS 8 @ eel 

Connect New Import Modify Delete lL 
Connection Entries | Cettificates | Log | 


|__| Conneetion Entry 


Student1 192.168.1.5 IPSec/UDP 


| Not connected. 
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The Cisco VPN Software Client for Windows is a software program that runs on Windows 95, 
98, ME, 2000, XP, and NT 4.0. The Software Client on a remote PC, communicating with a 
Concentrator at an enterprise or service provider, creates a secure connection over the Internet 
that lets you access a private network as if you were an on-site user. 


The figure shows the Software Client window. From this window, you can launch the 
new-connection wizard, change or set optional parameters, and launch the Software Client. 
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You can run the Cisco VPN Client in simple mode or in advanced mode. The default is 


advanced mode, although your network administrator might have configured simple mode as 
the default. 


Use simple mode if you want only to start the Cisco VPN Client application and connect to a 
VPN device using the default connection entry. 


Use advanced mode for the following tasks: 
m Managing the Cisco VPN Client 

™ Configuring connection entries 

m Enrolling for and managing certificates 
m Viewing and managing event logging 


m Viewing tunnel routing data 


To toggle between advanced mode and simple mode, press Ctrl-M. Alternatively, you can 
choose your mode from the Options menu. 
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The following are the main tabs: 


™ Connection Entries tab—Displays the list of current connection entries, the host, which is 
the VPN device that each connection entry uses to gain access to the private network, and 
the transport properties that are set for each connection entry. 


m™ Certificates tab—Displays the list of certificates in the VPN Client certificate store. Use 
this tab to manage certificates. 


m= Log tab—Displays event messages from all processes that contribute to the client-peer 


connection: enabling logging, clearing the event log, viewing the event log in an external 
window, and setting logging levels. 
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Menus—Connection Entries 
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Create Shortcut 
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Set as Default Connection Entry 
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Import... 


Exit VPN Client 
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Use the Connection Entries menu as a shortcut to frequently used connection entry operations. 
The following commands are available: 


m™ Connect to—Connect to a VPN device using the selected connection entry. If the 
Connections tab is not selected, a submenu, which lists all available connection entries, is 
displayed. 

m Disconnect—Disconnect your current VPN session. 

m Create Shortcut—Create a shortcut on your desktop for the current connection entry. 

= Modify—Edit the current connection entry. 


m Delete—Delete the current connection entry. 


m= Duplicate—Duplicate the selected connection entry. This menu choice lets you create a 
new connection entry using the configuration from a current connection entry as a template. 


m Set as Default Connection Entry—Make the current connection entry the default. 
m= New—Create a new connection entry. 
m= Import—Bring in a new connection entry profile from a file. 


m Exit VPN Client—Close the Cisco VPN Client application. 
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Use the Status menu to display routes and notifications and to reset the statistics display. The 
following commands are available: 


m Statistics—View tunnel details, route details, and firewall information for the current VPN 


session. 


= Notifications—View notices from the VPN device you are currently connected to. 


m Reset Stats—Clear the statistics from the statistics displays and start over. 
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Menus—Certificates 
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Use the Certificates menu to enroll and manage certificates. The following commands are 
available: 


m= View—Display the properties of the selected certificate. 

= Import—Import a certificate file from a specified file location. 

m= Export—Export the selected certificate to a specified file location. 

@ = Enroll—Enroll with a Certificate Authority (CA) to obtain a certificate. 
m Verify—Verify that a certificate is still valid. 

m Delete—Remove the selected certificate. 


m Change Certificate Password—Change the password that protects the selected certificate in 
the Cisco VPN Client certificate store. 


m Retry Certificate Enrollment—Retry a previously attempted certificate enrollment. 


m Show CA/RA Certificates—Display digital certificates issued by either a CA or a 
Registration Authority (RA). 
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Use the Log menu to manage the log. The following commands are available: 

m Enable/Disable—Start collecting events (Enable); stop collecting events (Disable). 

m Clear—Erase the events displayed on the log tab (and log window). 

m Log Settings—Change the logging levels of event classes. 

= Log Window—Display a separate window that shows events. From this window you can 
save the display, edit logging levels by event class, and clear both log displays. This 
window shows more events than the display area of the main advanced mode window. 

m Search Log—Display a dialog box into which you enter the exact string to be matched. The 
search string is not case sensitive, and wild cards are not supported. Matched instances are 


highlighted on the log tab, not the log window. 


m Save—Store the current log in a specified log file. 
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Use the Options menu to perform actions such as launching an application. The following 
commands are available: 


= Application Launcher—Start an application before connecting to a VPN device. 


m Windows Logon Properties—Control logon features for the Windows NT platform. The 
following logon features are available: 


— Ability to start a connection before logging on to a Windows NT system 


— Permission to launch a third-party application before logging on to a Windows NT 
system 


— Control of autodisconnect behavior when logging off 
m Stateful Firewall (Always On)—Enable and disable the internal stateful firewall. 
m= Simple Mode—Switch to simple mode. 
m Preferences—Sets the following features: 
— Save window settings—Save any changes you make to the Cisco VPN Client window. 


— Hide upon connect—Place the Cisco VPN Client window in the dock when the VPN 
connection is established. 


— Enable tool tips—Enable tool tips for the toolbar action buttons. 
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Clicking New from the toolbar or the Connection Entries menu displays the Create New VPN 
Connection Entry window. The following parameters need to be entered: 


m Enter a unique name for this new connection. You can use any name to identify this 
connection; for example, Engineering. This name can contain spaces, and it is not case 
sensitive. 


m= Enter a description of this connection. This field is optional, but it helps further identify this 
connection. For example, Connection to Engineering remote server. 


m Enter the hostname or IP address of the remote VPN device you want to access. 


Under the Authentication tab, you must choose whether you are going to be using group or 
certificate authentication and fill in the required fields as follows: 


m Inthe Name field, enter the name of the IPSec group to which you belong. This entry is 
case sensitive. 


m Inthe Password field, enter the password (which is also case sensitive) for your IPSec 
group. The field displays only asterisks. 


m Verify your password by entering it again in the Confirm Password field. 


For certificates to be exchanged, the Certificate radio button must be selected. In the Name 
drop-down menu, any personal certificates loaded on your PC are listed. Choose the certificate 
to be exchanged with the Concentrator during connection establishment. If no personal 
certificates are loaded in your PC, the drop-down menu is blank. Use the Validate Certificate 
button to check the validity of the Software Client certificate. 
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Transparent tunneling allows secure transmission between the Cisco VPN Client and a secure 
gateway through a router serving as a firewall, which may also be performing NAT or Port 
Address Translation (PAT). Transparent tunneling encapsulates Protocol 50 (ESP) traffic 
within UDP packets and can allow for both IKE (UDP 500) and Protocol 50 traffic to be 
encapsulated in TCP packets before it is sent through the NAT or PAT devices or firewalls. The 
most common application for transparent tunneling is behind a home router performing PAT. 
The central-site group in the Cisco VPN device must be configured to support transparent 
tunneling. This parameter is enabled by default. To disable this parameter, deselect the Enable 
Transparent Tunneling check box under the Transport tab. It is recommended that you 
always keep this parameter selected. 


Note Not all devices support multiple simultaneous connections behind them. Some cannot map 
additional sessions to unique source ports. Be sure to check with the vendor of your device 
to verify whether this limitation exists. Some vendors support Protocol 50 (ESP) PAT (IPSec 
pass-through), which might let you operate without enabling transparent tunneling. 


You must choose a mode of transparent tunneling, over UDP or over TCP. The mode you use 
must match that used by the secure gateway to which you are connecting. Either mode operates 
properly through a PAT device. Multiple simultaneous connections might work better with 
TCP. If you are in an extranet environment, then in general, TCP mode is preferable. UDP does 
not operate with stateful firewalls, so in that case, you should use TCP. 
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The following transport tunneling options are available: 


m Using IPSec over UDP (NAT/PAT)—To enable IPSec over UDP (NAT/PAT), select the 
IPSec over UDP (NAT/PAT) radio button. With UDP, the port number is negotiated. UDP 
is the default mode. 


m Using IPSec over TCP (NAT/PAT/Firewall)—To enable IPSec over TCP, select the Using 
IPSec over TCP radio button. When using TCP, you must also enter the port number for 
TCP in the TCP port field. This port number must match the port number configured on the 
secure gateway. The default port number is 10000. 


Allowing Local LAN Access 


In a multiple-NIC configuration, local LAN access pertains only to network traffic on the 
interface on which the tunnel was established. The Allow Local LAN Access parameter gives 
you access to the resources on your local LAN (printer, fax, shared files, and other systems) 
when you are connected through a secure gateway to a central-site VPN device. When this 
parameter is enabled and your central site is configured to permit it, you can access local 
resources while connected. When this parameter is disabled, all traffic from your Cisco VPN 
Client system goes through the IPSec connection to the secure gateway. 


To enable this feature, select the Allow Local LAN Access check box; to disable it, deselect 
the check box. If the local LAN you are using is not secure, you should disable this feature. For 
example, you would disable this feature when you are using a local LAN in a hotel or airport. 


A network administrator at the central site configures a list of networks at the VPN Client side 
that you can access. You can access up to ten networks when this feature is enabled. When 
local LAN access is allowed and you are connected to a central site, all traffic from your system 
goes through the IPSec tunnel except traffic to the networks excluded from doing so (in the 
network list). 


When this feature is enabled and configured on the Cisco VPN Client and permitted on the 
central-site VPN device, you can see a list of the local LANs available by looking at the Routes 
table. 


Adjusting the Peer Response Timeout Value 


The Cisco VPN Client uses a keepalive mechanism called dead peer detection (DPD) to check 
the availability of the VPN device on the other side of an IPSec tunnel. If the network is 
unusually busy or unreliable, you might need to increase the number of seconds to wait before 
the Cisco VPN Client decides that the peer is no longer active. The default number of seconds 
to wait before terminating a connection is 90 seconds. The minimum number you can configure 
is 30 seconds, and the maximum is 480 seconds. 


To adjust the setting, enter the number of seconds in the Peer response timeout (seconds) field. 
The Cisco VPN Client continues to send DPD requests every 5 seconds, until it reaches the 
number of seconds specified by the peer response timeout value. 
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The private network may include one or more backup VPN servers to use if the primary server 
is not available. Your system administrator tells you whether to enable backup servers. 
Information on backup servers can download automatically from the Concentrator, or you can 
manually enter this information. 
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Creating a New Connection—Dial-Up 
a Cisco.com 
x 
ConnectionEnty:[VPNT 
Description:|Corporate Connection == 
Host [19216805 


Authentication | Transport | Backup Servers | Dial-Up | 


IV Connect to Internet via dial-up 


@ Microsoft Dial-Up Networking 


Phonebook Entry: ie ~ 


© Third party dial-up application 


Application: 


Erase User Password Cancel 


To enable and configure a connection to the Internet through dial-up networking, select the 
Connect to Internet via dial-up check box. This feature is not selected by default. 


You can connect to the Internet using the Cisco VPN Client application in either of the 
following ways: 


= Microsoft Dial-Up Networking (DUN)—If you have DUN phonebook entries and have 


enabled the Connect to Internet via dial-up feature, Microsoft DUN is enabled by default. 


To link your Cisco VPN Client connection entry to a DUN entry, click the Phonebook 
Entry drop-down arrow and choose an entry from the menu. The Cisco VPN Client then 
uses this DUN entry to automatically dial into the Microsoft network before making the 
VPN connection to the private network. 


m Third-party dial-up program—tIf you have no DUN phonebook entries and have enabled 
the Connect to Internet via dial-up feature, then the third-party dial-up application is 
enabled by default. Click the Browse button to enter the name of the program in the 


Application field. This application launches the connection to the Internet. This string you 


choose or enter in this field is the path name to the command that starts the application and 


the name of the command; for example: c:\isp\ispdialer.exe dialEngineering. Your network 


administrator might have set this up for you. If not, consult your network administrator. 
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Pre-configure Client for Remote Users 
ey Cisco.com 


I vonclient.ini - Notepad 
Fie Edit Search Help 
[main] 
EnableLog=1 
File Edt Search Help Runat Logon=0 
xAuthHandler=ipsxauth.exe 
[LOG. IKE] 
h = C:\Program Files\Cisco Systems\VPN Client||LogLevel=3 
[LOG. CM] 
Logheve1=3 
[LOG. PPP] 
LogLevel=3 
[LOG. DIALER] 
Logheve1=3 

ws [LOG. CVPND] 
oem.ini Loghevel=3 
[LOG. XAUTH] 
Logheve1=3 
[LOG. CERT] 
Logheve1=3 
[LOG. IPSEC] 
Logheve1=3 


[Default] 
=i 


MISLagoR—2 


[CertEnrollment] gah yeed 


SubjectName=student1 
company=Cisco 

Department=training 
State=Massachusetts 

country=USA 
Emai1=joeuserBcisco.com 
CADomainNeme=training.cisco.com 
caHostAddress=172.26.26.51/certsrv 
cACertificate=Basic_Root 


yapDDDDDDDD9D2D000000 


eSpITITDNS=i 


-pcf 


vpnclient.ini 
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An administrator has the ability to preconfigure Software Clients. A folder is placed on the 
remote user PC. Inside the folder is a copy of the Cisco VPN Client software plus three 
additional files: 


= oem.ini—Installs the Software Client without user intervention. 


™ vpnclient.ini—A global profile that you use to set certain standards for all profiles. If this 
file is bundled with the Software Client software, it automatically configures the Software 
Client global parameters when it is first installed. 


m™ .pcf—Creates connection entries within the dialer application. If this file is bundled with 
the Software Client software, it automatically configures the Cisco VPN Client connection 
parameters when it is first installed. There is one user profile for each .pcf file. 


The administrator creates these files using a text editor and places them in the local file system 
of the remote user. The files must be located in the same folder as the Software Client setup.exe 
file. 


Note The easiest way to create a profile for the Windows platforms is to run the Cisco VPN Client 
and use the Cisco VPN Client GUI to configure the parameters. When you have created a 
profile in this way, you can copy the .pcf file to a distribution disk for your remote users. This 
approach eliminates errors you might introduce by typing the parameters, and the group 
password is automatically converted to an encrypted format. 
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.pcf File 


a Cisco.com 


2003, Cisco Systems, Inc. All right 


[main] 
Description= 
Host=192.168.1.5 
AuthType=1 

Gr oupName=trainnig 
Ir oupPwd= 

enc_Gr oupPwd=66D7EDD56FD14 384 DEADA3778E084 803 7DALB3E 
EnableIsPconnect=0 
ISPConnectType=0 
TSPConnect = 
TSPCommand= 
lUsername= 
SaveuserPassword=0 
UserPassword= 
enc_UserPassword= 
NTDomain= 

nab] eBackup=0 
BackupServer= 
EnablemsLogon=1 
IMSLogonType=0 
Enablenat=1 
Tunnel ingMode=0 
TcpTunnelingPort=10000 
Icertstore=0 
IcertName= 
IcertPath= 
\CertsubjectName= 
ICertseria]Hash=00000000000000000000000000000000 
sendcertchain=0 
Ver ifyCertDN= 

DHGr oup=2 
ForcekeepAlives=0 
PeerTimeout=90 
EnableLocalLan=0 
Enablesp1itONs=1 


-pcf file—User profile 
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The .pef file contains all the Software Client configuration parameters. Profiles are created in 


two ways: 


m The remote user creates connection entries via the new-connection wizard. The output of 


the new-connection wizard is a .pcf file. 


m= The administrator creates .pcf files using a text editor and places them in the local file 
system of the remote user: C:\ProgramFiles\CiscoSystems\VPN Client\Profiles directory. 


Each connection has its own .pcf file. It can be viewed and edited in Notepad. If this file is 
bundled with the Software Client software, the installer automatically configures the Software 
Client when the Software Client is first installed. 


To make a parameter read-only so that the Software Client user cannot change it within the 


GUI, put an exclamation mark (!) before the parameter name. 
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Silent Mode 


ee | Cisco.com 


Name of the 
A . File Edit Format Help 
destination [oeFautt] 


SilentMode =1 
folder Instal]Path = C:\Program Files\Cisco Systems\VPN Client 


IDefGroup = VPN Client 
Reboot =1 


Identifies 
whether or 
not to restart 
the system 
after the 
silent 
installation 


The oem.ini file installs the Software Client without user intervention. The administrator can 
create an oem.ini file in Notepad. Under SilentMode, enter 0 or 1: 


m 1—Activates silent installation (do not prompt user) 


= 0—Prompts the user during installation 


After the oem.ini file is created, identify the path name and folder to contain the Software 
Client software. The default path name to the Cisco VPN Client software is 
C:\ProgramFiles\CiscoSystems\VPN Client. 


Last, reboot the system. Under Reboot, enter 1 or 2: 
m If silent mode is on (1) and reboot is 1, the system automatically reboots after installation. 


m = If silent mode is on (1) and reboot is 2, the system does not reboot after the installation. 
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Client Program Menu 
aE eee Cisco.com 


fe Accessories 
fr] Administrative Tools 
Documents US| Adobe Acrobat 4.0 


Programs 


Settings eae 
; WE) Cisco Systems, Inc > &) Set MTU 
Search = Kiwi Syslog Daemon Le a YPN Client 


i. “Startup > 28! Uninstall VPN Client 
elp 


Run... =) winzip 

ark Cisco TFTP Server 

GI command Prompt 

8 Console 

Shut Down... @ internet Explorer 
Kiwi Syslog Daemon 
at Outlook Express 


Log OFf Administrator... 


fay 
ay 
Bb 
y 
g 
& 
> 


o 
> 
G 
nn 
°o 
3S 
oS 
N 
3 
} 
3 
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After the Software Client has been installed, access the Software Client program menu by 
choosing Start>Programs>Cisco Systems VPN Client. Under the Cisco Systems VPN Client 
menu, a number of options are available: 

m Help—Accesses Software Client help text. Help is also available by doing the following: 
— Press F1 at any window while using the Cisco VPN Client. 

— Click the Help button on windows that display it. 
— Click the logo in the title bar. 

m Set MTU—The Software Client automatically sets the MTU size to approximately 1420 
bytes. For specific applications, Set MTU can change the MTU size to fit a specific 
scenario. 

= Uninstall Software Client—Only one Software Client can be loaded at a time. When you 


are upgrading, you must uninstall the old Software Client before installing the new 
Software Client. Choose Uninstall VPN Client to remove the old Software Client. 
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Setting MTU Size 


ee | Cisco.com 


@ Cisco Systems SetMTU ; P4| 


CAUTION: MTU changes can affect your PC's performance on the network. 


> Network Adapters (IPSec only] 


Local Area Connection 
Local Area Connection 2 


MTU Options 
™ Default C 576 @ 1300 ™ Custom Jiz00 


Cancel | Help | 
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The Set MTU option is used primarily for troubleshooting connectivity problems. For specific 
applications where fragmentation is still an issue, Set MTU can change the MTU size to fit the 
specific scenario. The Cisco VPN Client automatically adjusts the MTU size to suit your 
environment, so running this application should not be necessary. 


The MTU parameter determines the largest packet size in bytes that the client application can 
transmit through the network. If the MTU size is too large, the packets may not reach their 
destination. Adjusting the size of the MTU affects all applications that use the network adapter. 
Therefore, the MTU setting you use can affect the performance of your PC on the network. 
MTU sizing affects fragmentation of IPSec and IPSec through NAT mode packets to your 
connection destination. A large size (for example, more than 1300) can increase fragmentation. 
Using a size of 1300 or smaller usually prevents fragmentation. Fragmentation and reassembly 
of packets at the destination causes slower tunnel performance. Also, many firewalls do not let 
fragments through. 


To implement a different MTU size, select the network adapter in the Network Adapters (IPSec 
only) field. In the example in the figure, Dial-up Networking is selected. In the MTU Options 
group box, set the MTU option size by clicking the appropriate radio button. You must reboot 
for MTU changes to take effect. 
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Virtual Adapter 


ae Cisco.com 


Is snced Help 
|| d= 5ack ~ => ~ fy | GQsearch GyFolders CBristory | AG GF %K wa | Fee 


| | Address [ial Network and Dial-up Connections 


[5] Make New Connection 
}b-Local Area Connection 
L-Local Area Connection 6 


[Local Area Conne Local Area Connection 6 Properties “21x 


Genera | General | Sharing | 


Connection Connect using: 
seas WED BD Cisco Systems VPN Adapter 
Duration: 00:06:02 
Spee 10Gb 
Components checked are used by this connection: 
Activity - 
CIF] Client for Microsoft Network 
8} Deterministic Network Enhancer 


Packets: 0 | Q MJB} File and Printer Sharing for Microsoft Networks 
1F Intemet Protocol (TCP/P) 


Properties Disable Install. Uninstall Properties 


Description 


a 
Sent — s — Received 


|. Allowis your computer to access resources on a Microsoft 
network. 


T Show icon in taskbar when connected 
[Lisco Systems VEIN Adapter 


OK Cancel 
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A virtual adapter is a software-only driver that acts as a valid interface in the system. Its 
purpose is to solve protocol incompatibility problems. The virtual adapter appears in the 


network properties list just like a physical adapter and displays all the information you would 
usually find under any other network adapter that is installed. It is available on Windows 2000 


and XP only. 
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Viewing Connected Clients— 


Concentrator Connection Status 
SS MMMM MMMM ~SCOC*#éSCsco.com’ 


session, click on that session's name. 
———>| Grow [-AIF 7 


Session Summary 


Active LAN-to-LAN| Active Remote 
Sessions Access Sessions Sessions Sessions 
[ 0 1 [ 1 [Essa 


LAN-to-LAN Sessions 


Active Management | Total Active | Peak Concurrent 


Reset ¢ Refresh@ 


This screen shows statistics for sessions. To refresh the statistics, click Refresh. Select a Group to filter the sessions. For more information on 4 


Concurrent | Total Cumulative 


Sessions Sessions Limit Sessions 
2 100 10 


[Remote Access Sessions | Menagement Sessions ] 


Connection Name Protocol 


Encryption | Login Time 
No LAN-to-LAN Sessions 


Duration [ ByiesTx | Bytes Rx 


Remote Access Sessions 


Assigned IP Address Protocol 
Public IP Address Encryption 


Username 


Duration 


[LAN-to-LAN Sessions | Manazem« ions ] 


Login Time | Client Type Bytes Tx 


‘Version Bytes Rx 


student! 10.0.1.70 IPSec 
ses 192,168.16 3DES-168 


Management Sessions 


Administrator IP Address Protocol 
‘admin 10.0.1.70 [HTTP None 


Jul 2212:17.01 
0:07:59 


Encryption 


Win'T 34840 
3.6 Beta_D) amiga 


[LAN-to-LAN Se. 


~ fulizi24a7 [oco1g 
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The Monitor>Sessions window can be divided into four topics: 


m Session Summary—Gives you an overview of all the sessions as well as total active, peak 


concurrent, and total concurrent sessions. 


m LAN-to-LAN Sessions—Displays individual LAN-to-LAN sessions. In the example in the 
figure, there are currently no LAN-to-LAN sessions. 


m Remote Access Sessions—Displays statistics on all the remote access sessions. In the 
example in the figure, there is currently one active session. The username is student], and it 
belongs to the Training group. The virtual IP address assigned is 10.0.1.70, and the 
tunneling protocol is IPSec, using Triple-Data Encryption Standard (3DES) for encryption. 


m Management Sessions—Displays information on all the current management users. In the 
example in the figure, the IP address of the admin user is 10.0.1.70. 
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Viewing Connected Clients—Status 


Details 


ae Cisco.com 


Back to Sessions 


Username | Public IP Address | Assigned IP Address 
‘studentl (192,168.16 100.170 


Bandwidth Statistics 


[IPSec 


Protocol | Encryption 
3DES-168 


Reset g Refresh®@ 


Login Time | Duration | Bytes Tx | Bytes Rx 


burma itt701 [0934 a376| 35440 


User Name Interface 
student! (In) 


‘student! (Out) 


[Bthemet 2 Public) 
Ethemet 2 Public) 


IKE Sessions: 1 
IPSec Sessions: 2 


Traffic Volume (bytes) 
Conformed | —Throtiled 
41246 | 191350 
45770 | 400522 


Session ID 1 
Hashing Algorithm MD5 
‘Authentication Mode [Pre-Shared Keys (KAUTH) 


IKE Session 


Rekey Time Interval 26400 seconds 


Session ID 2 


TPSec Session 


Local Address [192,168.15 


Encryption Algoritun 3DES-168 
Diffie-Hellman Group Group 2 (1024-bit) 
IKE Negotiation Mode (Aggressive 


Remote Address (10.0.1.70 
Encryption Algorithm 3DES-168 


Hashing Algorithm MD5 


Tile Time (0:09:24 


Encapsulation Mode Tunnel 
Bytes Received (0 


Session ID 3 
Local Address 10.0.1 0/0.0.0.255 
Hashing Algorithm MD5 
Rekey Time Interval 23200 seconds 
Bytes Received (35440 


[ 

[ 

[ 
IPSec Session 

[ 


Rekey Time Interval 28200 seconds 
Bytes Transmitted (0 


Remote Address (10.0.1.70 
Encryption Algorithm [3DES-168 


Encapsulation Mode [Tunnel 


Bytes Transmitted (42934 
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The Monitor>Sessions window displays basic information about an individual session; 
however, more in-depth statistics may be required. By double-clicking the remote access 
username, the administrator can access session details. Session details provide specific IKE and 
IPSec session information and bandwidth statistics. They also provide a breakdown of the 
authentication modes, encryption and hash algorithms, DH groups, and rekey intervals for both 


the IKE and IPSec sessions. 
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Summary 


This topic summarizes what you learned in this lesson. 


Summary 
ae, Cisco.com 


° The initial configuration of the Cisco VPN 3000 
Series Concentrator occurs via the CLI. 


* Subsequent configuration of the Cisco VPN 
3000 Series Concentrator can be performed 
using a browser. 


¢ Groups and users are used to assign access 
and usage rights. 


° IPSec policies are assigned to groups. 
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Summary (cont.) 
a Cisco.com 


* Mode configuration enables the Cisco VPN 
3000 Series Concentrator to push the network 
information to the Cisco VPN Software Client. 


* The Cisco VPN 3000 Series Concentrator can 
use several different types of authentication 
servers. 


* The Cisco VPN 3000 Series Concentrator 
provides extensive monitoring capabilities. 
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Lab Exercise—Configure the Cisco VPN 3000 
Series Concentrator for Remote Access Using 
Pre-Shared Keys 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


Your task in this lab exercise is to install and configure the Cisco VPN Client and the Cisco 
VPN 3000 Series Concentrator to enable IPSec-encrypted tunnels using pre-shared keys. Work 
with your lab exercise partner to complete the following tasks: 

m Complete the lab exercise setup. 

m Install the Cisco VPN Client. 

m Configure the Cisco VPN Client. 

m Verify the Cisco VPN Client properties. 

m Return the Concentrator to factory settings. 

= Configure the Concentrator private interface using the CLI. 

™ Configure the Concentrator public interface using the CLI. 

= Configure the Concentrator default gateway using the CLI. 

m= Configure the Concentrator using the Cisco VPN 3000 Series Concentrator Manager. 

m Verify the Concentrator IKE proposal. 

m Verify the Concentrator group parameters. 

m Modify the Concentrator public filter. 

m Apply the Concentrator public filter. 

m Launch the Cisco VPN Client. 


m Verify the Cisco VPN connection status. 


= Monitor the Concentrator statistics. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


Cisco.com 


Cisco 
VPN 3000 


B 
172.26.26.0 192.168.P.0 10.0.P.0 


1 5 5 


Student PC with 
Cisco VPN Client 
172.26.26.P 


Scenario 


Your company wants to implement a VPN using remotely located Cisco VPN Clients 
terminating at centrally located Concentrators. You must configure both the remote Cisco VPN 
Clients and the Concentrators for remote access using pre-shared keys for authentication. 


Network Parameters Used in this Lab Exercise 


The table contains the recommended device and interface IP addresses and subnet masks used in 
this lab exercise. Verify these values with your instructor before proceeding with the lab 
exercise. 
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Parameter IP Address Subnet Mask 
Student PC primary 172.26.26.P 255.255.255.0 
Student PC default gateway 172.26.26.150 

Concentrator public interface 192.168.P.5 255.255.255.0 
Concentrator private interface 10.0.P.5 255.255.255.0 
DHCP server 10.0.P.10 

Remote terminal server 172.26.26.100 

Backbone router 192.168.P.1 

Backbone router 172.26.26.150 


(where P = pod number) 


Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify that your equipment is set up as follows: 
m Ensure that your student PC is powered on. 
m Ensure that your student IP addresses are configured correctly: 


— Primary IP address—172.26.26.P 
(where P = pod number) 


— Default gateway IP address—172.26.26.150 
m Ensure that your Concentrator is powered on. 
m Uninstall the Cisco VPN Client if it is installed. Choose Start>Programs>Cisco Systems 


VPN Client>Uninstall VPN Client to remove the Cisco VPN Client. Respond to the 
questions appropriately. 


Task 2—Install the Cisco VPN Client 


Step 1 


Step 2 


Step 3 
Step 4 
Step 5 


The Cisco VPN Client is typically installed from the Cisco VPN 3000 Series Concentrator CD- 
ROM, using the instructions supplied with the CD-ROM. In this lab exercise, the source files for 
the Cisco VPN Client already reside on the hard disk drive of the student PC. Complete the 
following steps to install the Cisco VPN Client: 

Open the Cisco VPN Client folder found on the student PC desktop. 


Double-click the setup.exe file from the Cisco VPN Client folder. If this is the first time that the 
Cisco VPN Client is being installed on this PC, a window opens and displays the following 
message: Do you want the installer to disable the IPSec Policy Agent? 


If the disable IPSec policy agent message appears, click Yes. The Welcome window opens. 
Read the Welcome window and click Next. The License Agreement window opens. 


Read the license agreement and click Yes. The Destination Folder Location window opens. 
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Step 6 
Step 7 
Step 8 


Step 9 
Step 10 
Step 11 


Accept the defaults by clicking Next. The Program Folders window opens. 
Accept the defaults by clicking Next. The Start Copying Files window opens. 


The files are copied to the hard disk drive of the student PC and the InstallShield Wizard 
Complete window opens. 


Select Yes, I want to restart my computer now, and click Finish. The student PC restarts. 
Log in to the student PC. 
Close the Cisco VPN Client folder. 


Task 3—Configure the Cisco VPN Client 


Step 1 


Step 2 
Step 3 


Step 4 
Step 5 


Step 6 


Step 7 


Complete the following steps to configure the networking parameters of the new Cisco VPN 
Client: 


Note This procedure assumes that Windows 2000 is already running on the student PC. 


Choose Start>Programs>Cisco Systems VPN Client>VPN Client. The Cisco Systems VPN 
Client window opens. 


Click New. The Create New VPN Connection Entry window opens. 


Enter studentP in the Connection Entry field. 
(where P = pod number) 


Leave the description field blank. 


Enter a Concentrator public interface IP address in the Host field: 192.168.P.5. 
(where P = pod number). 


Verify that the Group Authentication radio button is selected and complete the substeps listed 
here. 


The following entries are always case sensitive. Use lowercase characters for this lab exercise. 
1. Enter a group name: training. 

2. Enter a group password: training. 

3. Confirm the password: training. 


Click Save and leave the Cisco Systems VPN Client window open. 


Task 4—Verify the Cisco VPN Client Properties 


Step 1 


Step 2 


Step 3 


Complete the following steps to verify the Cisco VPN Client parameters you just configured: 


Ensure that the Cisco VPN Client window is open. If the Cisco VPN Client window is not open, 
choose: Start>Programs>Cisco Systems VPN Client> VPN Client. 


Select studentP within the Connection Entry group box and click Modify. 
(where P = pod number) 


Verify that the IP address of the remote server is set to a Concentrator public interface IP 
address: 192.168.P.5. 
(where P = pod number) 
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Step 4 


Step 5 


Step 6 


Step 7 


Select the Authentication tab and verify the spelling of the group name. If necessary, you can 
edit the group name and password here. 


Select the Transport tab and view the available options. Do not make any changes to the default 
settings. 


Click Save if you have made any changes. 


Close the Cisco Systems VPN Client window. 


Task 5—Return the Concentrator to Factory Settings 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


The instructor will provide you with the procedures for access to the Concentrator console port, 
because this procedure will vary according to your connectivity. After you access the 
Concentrator console port, the Concentrator login prompt will appear. Complete the following 
steps to return the Concentrator to the factory settings: 


Note This procedure assumes that Windows 2000 is already running on the student PC. 


Log in to the Concentrator CLI using the administrator account: 
Login: admin 
Password: admin 


If you get a Quick prompt for the system time or date parameters, the device has already been 
rebooted to factory defaults. In that case, skip this task and proceed directly to Task 6. 


Access the Administration menu: 


Main -> 2 


Access the System Reboot menu: 


Admin -> 3 


Access the Schedule Reboot menu: 


Admin -> 2 

Select Reboot ignoring the Configuration file: 
Admin -> 3 

Select Reboot Now: 

Admin -> 2 


The Reboot scheduled immediately message appears, followed by the Rebooting VPN 3000 
Series Concentrator now message. Do not attempt to log in to the first login prompt you see 
because it takes several moments for the Concentrator to complete the reboot function. A login 
prompt appears when the reboot is complete. 


Leave the CLI session open. 


Task 6—Configure the Concentrator Private Interface Using the CLI 


Complete the following steps to configure the Concentrator private LAN interface using the CLI 
Quick Configuration mode: 
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Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


Step 8 


Step 9 


Note This procedure assumes that the CLI session is still active from the previous task. If the CLI 
session is not active, complete steps 1-6 of the previous task before proceeding. 


Log in to the Concentrator CLI using the administrator account: 
Login: admin 


Password: admin 


Note When an administrator reboots a Concentrator CLI, as in the previous task, menus open ina 
slightly different order. If the system parameters prompt appears, press Enter through the 
time, date, time zone, and Daylight Savings Time (DST) prompts to accept the default values. 


Enter the Concentrator private interface IP address: 
Quick Ethernet 1 -> [0.0.0.0] 10.0.P.5 
(where P = pod number) 

Enter the Concentrator private interface subnet mask: 


Quick Ethernet 1-> [255.0.0.0] 255.255.255.0 
Accept the default Ethernet speed of 10/100 Mbps Auto Detect: 


Quick Ethernet 1-> [3] <Enter> 


Accept the default duplex mode of Auto: 


Quick Ethernet 1-> [1] <Enter> 


Accept the default MTU size: 


Quick Ethernet 1-> [1500] <Enter> 
Save the changes to the configuration file: 


Quick -> 3 


Exit the CLI: 


Quick -> 5 


If you do not exit, the CLI continues its quick configuration script. You will use the standard 
CLI menus for the remaining parameters. 


Leave the CLI session open. 


Task 7—Configure the Concentrator Public Interface Using the CLI 


Step 1 


Step 2 


Step 3 


Complete the following steps to configure the Concentrator public interface: 


Log in to the Concentrator CLI using the administrator account: 
Login: admin 

Password: admin 

Select the Configuration menu: 

Main -> 1 

Select the Interface Configuration menu: 


Config -> 1 
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Step 4 


Step 5 


Step 6 


Step 7 


Step 8 


Step 9 


Step 10 


Step 11 


Step 12 


Step 13 


Select the Configure Ethernet #2 (Public) menu: 


Interfaces -> 2 


Select the Interface Setting menu: 


Ethernet Interface 2 -> 1 


Accept the default setting to Enable using Static IP Addressing: 


Ethernet Interface 2 -> [3] <Enter> 


Enter the Concentrator public interface IP address: 


Ethernet Interface 2 -> [0.0.0.0] 192.168.P.5 
(where P = pod number) 
Accept the default setting for the subnet mask: 


Ethernet Interface 2 -> [255.255.255.0] <Enter> 


Note Several messages appear, indicating the condition of the Ethernet #2 (public) interface. 
Disregard the messages. 


Select the Select IP Filter menu: 


Ethernet Interface 2-> 3 


Select 0 (no filter) on the Ethernet #2 (public) interface: 


Ethernet Interface 2 -> [Public (Default)] 0 


Note In this lab exercise, you have disabled filtering on the public LAN interface to allow access to 
the HTTP-based Cisco VPN 3000 Series Concentrator Manager from your student PC. Never 
select 0 (no filter) in a live network, because doing so could facilitate a security breach. 


Return to the top-level menu by using the following shortcut: 


Ethernet Interface 2 -> h 
Save changes to the configuration file: 
Main -> 4 


Do not exit the CLI. Leave the Command Prompt window open, because it will be used to 
complete the tasks that follow. 


Task 8—Configure the Concentrator Default Gateway Using the CLI 


Step 1 


Step 2 


Step 3 


Complete the following steps, starting from the CLI top-level menu, to set the default gateway 
parameter of the Concentrator to the IP address of the backbone router: 


Select the Configuration menu: 


Main -> 1 


Select the System Management menu: 


Config -> 2 
Select the IP Routing menu: 


System -> 4 
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Step 4 


Step 5 


Step 6 


Step 7 


Step 8 


Step 9 


Step 10 


Step 11 


Step 12 


Select the Default Gateways menu: 


Routing -> 2 


Select the Set Default Gateway menu: 


Routing -> 1 
Enter the backbone router IP address: 


Routing -> 192.168.P.1 

(where P = pod number) 

Select the Set Default Gateway Metric menu: 

Routing -> 2 

Accept the Default Gateway Routing Metric of 1: 

Routing -> [1] <Enter> 

Return to the top-level menu by using the following shortcut: 
Routing -> h 

Save changes to the configuration file: 

ain -> 4 


Exit the CLI session: 


ain -> 6 


Close the Command Prompt window. 


Task 9—Configure the Concentrator Using the Cisco VPN 3000 Series 
Concentrator Manager 


Step 1 
Step 2 


Step 3 


Step 4 
Step 5 


Earlier you configured both the private and public interfaces using the CLI feature of the 
Concentrator. Complete the following steps to finish the Concentrator configuration using the 
Cisco VPN 3000 Series Concentrator Manager: 


Note This procedure assumes that Windows 2000 is already running on the student PC. 


Launch Internet Explorer by double-clicking the desktop icon. 


Enter a Concentrator public interface IP address in the Internet Explorer Address field: 
192.168.P.5 (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 Series 
Concentrator Manager. 


Log in to the Cisco VPN 3000 Series Concentrator Manager using the administrator account: 


Login: admin 


Password: admin 


Note The username (login) and password are always case sensitive. 


In the main window, click the click here to start Quick Configuration link. 


From the Configuration>Quick>IP Interfaces window, complete the following substeps: 
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1. Verify the IP addresses of Ethernet 1, 10.0.P.5, and Ethernet 2, 192.168.P.5, which you 
configured via the CLI (where P = pod number). 


2. Click Apply if you have made changes to either interface | or 2; otherwise, click Continue. 


Step6 From the Configuration>Quick>System Info window, complete the following substeps: 


1. Enter vpnP in the System Name field. 
(where P = pod number) 


Your instructor will provide you with the values to complete the following table: 


Parameter Value 


Time (Hour:Minute:Second 
AM/PM) 


(for example, 2:45:00 PM.) 
Date (Month/Day/Year) 
(for example, July/6/2001.) 


Time zone (offset in hours from 
GMT) 


(for example, (GMT-—05:00) EST.) 
Enable DST Support? (circle one) | SELECT DE-SELECT 


2. Inthe System Info window, enter the correct time, date, and time zone from the previous 
table. 


3. Check or uncheck the Enable DST Support check box, depending on which action has been 
circled in the previous table. 


4. Leave the DNS Server IP Address field set to: 0.0.0.0. 
5. Enter cisco.com in the Domain field. 


6. Leave a backbone router IP address in the Default Gateway field: 192.168.P.1. 
(where P = pod number) 


7. Click Continue. 


Step 7 From the Configuration>Quick>Protocols window, complete the following substeps: 


1. Uncheck the PPTP check box. 
2. Uncheck the L2TP check box. 
3. Check the IPSec check box. 

4. Click Continue. 


Step 8 From the Configuration>Quick>Address Assignment window, complete the following substeps: 


1. Select DHCP. 
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2. Enter a DHCP server IP address in the Specify Server field: 10.0.P.10. 
(where P = pod number) 


3. Click Continue. 


Step 9 From the Configuration>Quick>Authentication window, complete the following: 


1. Verify that Internal Server is selected from the Server Type drop-down menu. 
2. Click Continue. 


Step 10 From the Configuration>Quick>User Database window, complete the following substeps: 


Note These entries are all case sensitive. Create all entries in lowercase form only. 
1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Enter studentP in the Verify field. 
(where P = pod number) 


4. Click Add to add the new user to the database. The new username should appear in the 
Current Users window. 


5. Click Continue. 


Step 11. From the Configuration>Quick>IPSec Group window, complete the following substeps: 


Note These entries are all case sensitive. Create all entries in lowercase form only. 


1. Enter training in the Group Name field. 
2. Enter training in the Password field. 

3. Enter training in the Verify field. 

4. Click Continue. 


Step 12 From the Configuration>Quick>Admin Password window, click Continue. Normally you would 
change your password, but for lab exercise consistency, leave the password at the default value. 


Step 13 From the Configuration>Quick>Done window, complete the following substeps: 


1. Click the Save Needed icon, in the upper right corner of the window. The Save Successful 
window opens. 


2. Click OK. 


Step 14 Leave Internet Explorer open and continue to the next task. 
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Task 10—Verify the Concentrator IKE Proposal 


Step 1 


Step 2 


Step 3 


Step 4 


Complete the following steps to verify the IPSec IKE proposal: 


From the Configuration menu tree, choose System>Tunneling Protocols>IPSec>IKE 
Proposals. 


Ensure that the CiscoVPNClient-3 DES-MD5 proposal appears first under the Active Proposals 
list. 


If you need to make changes, click the Save Needed icon. Always select CiscoVPNClient- 
3DES-MD5 when using the Cisco VPN 3.x or 4.x Client. Always select IKE-3DES-MD5 when 
using the Cisco VPN 2.5 Client. 


Leave Internet Explorer open and continue to the next task. 


Task 11—Verify the Concentrator Group Parameters 


Step 1 
Step 2 
Step 3 
Step 4 
Step 5 
Step 6 
Step 7 
Step 8 
Step 9 


Complete the following steps to verify the Concentrator group parameters you set earlier: 


From the Configuration menu tree, choose User Management>Groups. 
Choose training from the Current Groups list. 

Click Modify Group. It may take a few moments for the text to appear. 
Select the Identity tab. 

Verify that Group Name is set to training. 

Select the IPSec tab. 

Verify that Authentication is set to Internal. 

Scroll to the bottom of the window, and click Cancel. 


Leave Internet Explorer open and continue to the next task. 


Task 12—Modify the Concentrator Public Filter 


Step 1 
Step 2 
Step 3 
Step 4 
Step 5 


Filtering must be enabled on the public interface in order for the Cisco VPN Client to connect to 
the Concentrator. By definition, the filter permits only tunnel and ICMP traffic to pass through 
the interface. This filter excludes any HTTP traffic from your student PC. However, for this lab 
exercise, the public filter can be modified to permit HTTP traffic to travel both inbound and 
outbound. With a modified filter, you can configure and monitor the network from the public 
side of the network. Complete the following steps to modify the public filter of the Concentrator: 


Note This task is for lab exercise purposes only. For security reasons, this task should never be 
completed in a production environment. 


From the Configuration menu tree, choose Policy Management>Traffic Management>Filters. 
Choose the Public (Default) filter from the Filter list. 

Click Assign Rules to Filter within the Actions group box. 

Choose Incoming HTTP In (forward/in) from the Available Rules list. 

Click Add. 
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Step 6 
Step 7 
Step 8 


Choose Incoming HTTP Out (forward/out) from the Available Rules list. 
Click Add. 
Click Done. 


Task 13—Apply the Concentrator Public Filter 


Step 1 
Step 2 
Step 3 
Step 4 
Step 5 
Step 6 


Step 7 


For the Cisco VPN Client to connect to the Concentrator, filtering must be applied to the public 
interface. Earlier you temporarily set the public interface filter to 0 (none) so you could 
configure the Concentrator via HTTP. Complete the following steps to configure the public 
interface in the same way with one exception: instead of setting the IP filter to 0 (none), set it to 
2 (public): 

From the Configuration menu tree, choose Interfaces>Ethernet 2 (Public). 

Select the General tab. 

Choose Public (Default) from the Filter drop-down menu. 

Click Apply. 

Save the changes to the configuration. 


Log out of the Concentrator. 


Close Internet Explorer. 


Task 14—Launch the Cisco VPN Client 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Complete the following steps to launch the Cisco VPN Client on your student PC and create an 
IPSec tunnel: 
Choose Start>Programs>Cisco Systems VPN Client>VPN Client. 


Verify that the connection entry is studentP. 
(where P = pod number) 


Verify that the IP address of the remote server is set to that of a Concentrator public interface IP 
address: 192.168.P.5. 
(where P = pod number) 


Click Connect. Complete the following substeps: 


1. When prompted for a username, enter studentP. 
(where P = pod number) 


2. When prompted to enter a password, enter studentP. 
(where P = pod number) 


Click OK. The following messages flash by quickly at the bottom of the window: 


Initializing the connection 
Contacting the security gateway at 


Authenticating user 


The window closes and a Cisco VPN Client icon appears in the system tray. 
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Task 15—Verify the Cisco VPN Connection Status 


Step 1 


Step 2 


Step 3 


A Cisco VPN Client Connection Status window is available to the end user. By double-clicking 
the Cisco VPN Client icon, the end user can view general connection information and 
connection statistics. Complete the following steps to view the Cisco VPN Client connection 


information: 


Double-click the Cisco VPN Client icon in the system tray and answer the following questions: 


Q1) What window opened? 


A) 


Select the Status>Statistics... menu option and answer the following questions. 
Q2) What encryption scheme was used? 


A) 


Q3) What authentication method was used? 


A) 


Q4) — What client IP address was assigned to you? 


A) 


Click Close. 


Task 16—Monitor the Concentrator Statistics 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Remote access information is available on the Concentrator. The administrator can view event 
messages that detail the connection process from start to finish. Once established, the 
administrator can view session statistics. Complete the following steps to monitor the 
Concentrator statistics: 


Launch Internet Explorer. 


Enter a Concentrator private interface IP address in the Internet Explorer Address field: 10.0.P.5 
(where P = pod number). Internet Explorer connects to the Cisco VPN 3000 Series Concentrator 
Manager. 


Log in to the Cisco VPN 3000 Series Concentrator Manager using the administrator account: 


Login: admin 
Password: admin 


From the Monitoring menu, choose Routing Table. 
Q5) ~~ Which networks are visible? 


A) 


From the Monitoring menu, choose Filterable Event Log. 
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Step6 Click Clear Log. 


Step 7 Disconnect your VPN session if it is still active by using the Cisco VPN Client icon in the 
system tray of the student PC. 


Step 8 Re-establish your VPN session. 
Step 9 From the Monitoring menu, choose Filterable Event Log. 


Step 10 Click the |<< button and answer the following questions: 


Q6) What is the group name of the remote client? 


A) 


Q7) What is the username of the remote client? 


A) 


Q8) What SA is the IKE remote peer configured for? 


A) 


Step 11. From the Monitoring menu, choose Sessions and answer the following question: 
Q9) Fill in the blanks: 


A) Username 
B) Assigned IP address 
C) Public IP address 
D) Group 
E) Protocol 


F) Encryption 


G) Login time 


H) Duration 


I) Client type 


J) Client version 


Step 12 Select studentP (where P = pod number). More information is displayed. Use this information to 
answer the following questions: 


Q10) The IKE session used: 


A) Encryption algorithm: 


B) Hashing algorithm: 
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Q11)_ The IPSec session identification (ID2) used: 


A) Remote address: 
B) Local address: 


C) Encryption algorithm: 


D) Hashing algorithm: 


Step 13 Log out of the Concentrator. 


Step 14 Disconnect your VPN session if it is still active by using the Cisco VPN Client icon in the 
student PC system tray). 


Step 15 Close Internet Explorer. 


Warning It is very important that you log out of the Cisco VPN 3000 Series Concentrator Manager 
when finished. Failing to log out before exiting the manager interface leaves an administrator 
session open. Eventually, all possible administrator sessions will be used, and you will not be 
allowed to log in again. Also, only the first administrator session has read and write access. 
The remaining administrator sessions have read-only access. 
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Configure the Cisco Virtual 
Private Network 3000 Series 
Concentrator for Remote Access 
Using Digital Certificates 


Overview 


This lesson teaches how to configure the Cisco Virtual Private Network (VPN) 3000 Series 
Concentrator for remote access using digital certificates for authentication. After presenting an 


overview of the process, the lesson shows you each major step of the configuration. It includes 


the following topics: 


Objectives 

CA support overview 

Certificate generation 

Validating certificates 

Configuring the Cisco VPN 3000 Series Concentrator for CA support 
Summary 


Lab exercise 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
Re MMMM ~~SS!S*S*«SCO.com 


Upon completion of this lesson, you will be able to 
perform the following tasks: 
Explain the purpose of digital certificates. 


Generate a PKCS #10 for the Cisco VPN Client and 
Concentrator. 


Install certificates in the Cisco VPN Client and Concentrator. 
Explain how digital certificates are validated and maintained. 


Configure the Cisco VPN Client and Concentrator for 
certificate-based remote access. 
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CA Support Overview 


The topic presents an overview of how Certificate Authority (CA) support works. 


CA Server Fulfilling Requests from 
IPSec Peers 


Cisco.com 


Each IPSec peer individually enrolls with the CA 
server. 


b) 


y 7 


CA server 
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With a CA, you do not need to configure keys between all of the encrypting IPSec peers. 
Instead, you individually enroll each participating peer with the CA and request a certificate. 
When this has been accomplished, each participating peer can dynamically authenticate all of the 
other participating peers. To add a new IPSec peer to the network, you need to configure only 
that new peer to request a certificate from the CA, instead of making multiple key configurations 
with all the other existing IPSec peers. 
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Digital Signature 


Cisco.com 
Local Remote 


Encryption 
algorithm 


Private 
key 


Hash J 
algorithm Public 


key 


© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—6-5 


The digital signature provides a form of digital credentials that authenticate the identity of the 
sending party. Digital signatures are used to link data with the holder of a specific private key 
and consist of the following: 

m At the local end, a private key is used to encrypt the hash. 

m At the remote end: 


— Running the original message through a hash algorithm produces the hash. 


— The hash that was appended to the original message is decrypted using the sender’s 
public key. 


m Ifthe hashes match, the message was signed with the sender’s private key. 


m Only a specific private key can produce the digital signature. 
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Why Digital Certificates 


Cisco.com 
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A key pair has no intrinsic ties to any person or entity. A solution is necessary to reliably tie a 
person or entity to a key pair. The solution is digital signatures and digital certificates, which 
provide a way to guarantee the source of the message: 


m= Digital signatures—Tie a message to a sender’s private key, and the hash can be decrypted 
by only the sender’s public key. 


m= Digital certificates—Bind a person or entity to a private key. This is analogous to buying an 
item in a department store with a credit card. Typically, the cashier asks for a two items: a 
credit card and a picture identification. The credit card is swiped through the register to 
confirm that the account is valid, that it has not expired, and that it was not revoked. The 
picture identification is used to tie the customer to the credit card. Similarly, a digital 
certificate is used to bind a person or entity to a digital signature. 
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Certificate-Based Authentication 


Cisco.com 
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certificate certificate Alex 
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certificates ie 
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Digital 
certificates 
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Digital certificates are used to authenticate users. They can be used to identify a person, 
company, or server. They are the equivalent of a passport or driver’s license. The following 
example illustrates how this works: 


Step 1 User A and B register separately with the CA: 


m Each user generates a public and private key. 
m™ Certificate requests are completed by both users and forwarded to the CA. 


m ACA issues separate certificates and digitally signs them with its private key, thereby 
certifying the authenticity of the user. 


= Certificates are loaded and verified on both users PCs. 


Step 2 User A sends the certificate to user B. 
Step 3 User B checks the authenticity of the CA signature on the certificate: 


m The CA public key is used to verify the CA signature on the certificate. 


m If it passes validation, it is safe to assume you are who you say you are; therefore, the 
message is valid. 


Step 4 User B sends the certificate to user A: 


m The CA public key is used to verify the CA signature on the certificate. 


m= When verified, all subsequent communications can be accepted. 
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Note Certificates are exchanged during the IPSec negotiations. 
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Certification Authorities (CAs) hold the key to the Public Key Infrastructure (PKI). A CA is a 
trusted third party whose job is to certify the authenticity of users to ensure that you are who you 


say you are. 


The CA digital signature, created with the CA private key, guarantees authenticity. You can 
verify a digital signature using the CA public key. Only the CA public key can de-crypt the 
digital certificate. The CA creates, administers, and revokes invalid certificates. 


The CA can be a corporate network administrator or a recognized third party. Trusted sources 
supported by the Cisco VPN 3000 Series Concentrator include the following: 


= Entrust 


m RSA Security 


= Network Associates PGP 


= Baltimore 
= Microsoft 


m Verisign 


Cisco Secure Virtual Private Networks 4.7 


Copyright © 2005, Cisco Systems, Inc. 


Cisco.com 


Hierarchical 


Root CA 


Central 


Subordinate 
CA 


CSVPN 4.0—6-9 


PKI is the set of hardware, software, people, policies, and procedures needed to create, manage, 
store, distribute, and revoke digital certificates. PKI makes it possible to generate and distribute 
keys within a secure domain and enables CAs to issue keys, associated certificates, and 
certificate revocation lists (CRLs) in a secure manner. The two PKI models are central and 
hierarchical authorities: 


m Central—A flat network design. A single authority, root CA, signs all certificates. Each 
employee who needs a certificate sends a request to the root CA. Small companies with 
several hundred employees may use central CA. 


m™ Hierarchical authority—A tiered approach. The ability to sign a certificate is delegated 
through a hierarchy. The top of the hierarchy is the root CA. It signs certificates for 
subordinate authorities. Subordinate CAs sign certificates for lower level CAs or employees. 
Large geographically dispersed corporations (for example, Cisco Systems) use hierarchical 
CAs. The root CA is located in San Jose, the company headquarters. Rather than having 
more than 30,000 employees making certificate requests back to San Jose, subordinate CAs 
are placed strategically around the world. Local employees request a CA from the local 
subordinate CA. 
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Certificate Generation 


Step 1 
Step 2 
Step 3 


Step 4 


This topic discusses how certificates are generated and transferred between a CA and the Cisco 
VPN 3000 Series Concentrator. 


Certificate Generation Proces 


| Cisco.com 


CA 


MS._CA 
Process request 
Generate certificate 


Parist2 | Generate 
Generate [Boston3 Training | certificate 
certificate | Mining ©) = request 


request K2345678 F1345230 
| Root 


Root 
Boston3 a Paris12 | 


Install Install 
certificate () certificate 


An end-user (or end-entity) must obtain a digital certificate from the CA to participate in a 
certificate exchange. This is known as the enrollment process. It requires three steps: 


Each user generates a private and public key pair. 
The requestor generates a certificate request and sends it to the CA. 


The CA transforms the certificate request into a digital certificate and returns both a root and 
identity digital certificate to the requestor. 


The requestor installs the root certificate into the Concentrator first. While installing the identity 
certificate, the Concentrator uses the public key from the root certificate to validate the signature 
of the identity certificate. 
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Generating a Certificate Request 
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In the certificate generation process, first you generate a certificate request known as a Public 


Key Cryptography Standards (PKCS)#10. User information such as a common name, 


organizational unit, organization, locality, state, country, and public key is requested. After the 


information is supplied, the Concentrator generates a certificate request: a PKCS#10. The 


request is formatted as an Abstract Syntax Notation One (ASN.1) message and sent to the CA. 
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Certificate Request Message— 


PKCS #10 


Enter the information to be included in the certificate request. The CA's certificate must be installed as a 
Certificate Authority before installing the certificate you requested. Please wait for the operation to 
finish. 


Enter the common name for the VPN 
3000 Concentrator to be used in this PKI. 


Organizational Unit (OU) [reining Enter the department. 


Common Name (CN) [studenti 


Organization (O) |Cisco Systems Enter the Organization or company. 

Locality (L) |Austin Enter the city or town. 

State/Province (SP) |Texas Enter the State or Province. 

oy Enter the two-letter country abbreviation 

(e.g, United States = US). 
. . Enter the Fully Qualified Domain Name for 
Aue ear the VPN 3000 Concentrator to be used in 
this PKI. 

Subject AlternativeName -— Enter the E-Mail Address for the VPN 

(E-Mail Address) 3000 Concentrator to be used in this PET 


Country (C) 


Key Sue [RSASIEDR TE Select the key size for the generated 


RSA/DSA key pair. 


once 
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The figure shows a sample certificate request form completed on the Concentrator. The 
information for a certificate request is as follows: 


= Common Name (CN) field—A unique name for the Concentrator. 

m Organizational Unit (OU) field—The Concentrator uses the organizational unit as the group 
name. By default, the OU field of the certificate must match the group attribute data based in 
the Concentrator. 

m Organization (O) field—The company name. 

= Locality (L)—City or town where the company resides. 

m State/Province (SP)—State or province where the company resides. 


= Country (C)—Country where the company resides. 


m Subject Alternative Name—Fully qualified domain name for the Concentrator, to be used in 
this PKI. 


m Key Size drop-down menu—The following options are available: 


— RSA 512 bits—This key size provides sufficient security and is the default selection. It 
is the most common and requires the least processing. 


— RSA 768 bits—This key size provides normal security. It requires approximately two to 
four times more processing than the 512-bit key. 
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— RSA 1024 bits—This key size provides high security, and it requires approximately four 
to eight times more processing than the 512-bit key. 


After the information is entered, the Concentrator generates a certificate request. The output is a 
new certificate request, a PKCS#10, in the ASN.1 message format. 
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Generating an Identity Certificate 
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Upon receipt of the PKCS#10, the CA verifies the authenticity of the PKCS#10. The CA 
decrypts the digital signature with the requestor’s public key to validate it. If valid, PKCS#10 is 
transformed into an identity certificate. The identity certificate is a composite of information 
supplied from the PKCS#10 and the CA. For security, a hash algorithm is performed on the 
combined attributes. The hash value is encrypted using the CA’s private key, and is attached to 
the certificate. The identity certificate is then sent to the Concentrator as an ASN.1 formatted 
message. 
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The X.509 certificate consists of specific fields and values. The figure shows an example of a 
Microsoft CA certificate. The certificate information displays the following: 


= Certificate format version—Currently, it is X.509 version 1, 2, or 3. 


™ Certificate serial number—Unique certificate numerical identifier in the CA domain. When a 
certificate is revoked, it is the certificate number that is listed on the CRL. 


m Signature algorithm—lIdentifies the CA’s public key and hashing algorithm. 

m= Issuer—The distinguished name of the CA. 

m Validity period—Specifies the start and expiration dates for the certificate. 

m Subject X.500 name—The distinguished name of the entity holding the private key. 

m Subject public key information—Specifies the subject’s public key and hashing algorithm. 
m Extensions—Extends the certificate to allow additional information. 

= CRL-Distribution Points (DPs)—Location of the CRL list for this certificate. 


m CA signature—The CA performs a hash function on the certificate contents; the hash is then 
signed with the CA’s private key to ensure authenticity. 
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Digital Certificate Encoding 
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PC or Concentrator 
Digital 
certificate 


When a certificate is sent between a CA and Concentrator or PC, the ASN.1 formatted message 
is encoded. The digital certificate encoding can be one of two types: Distinguished Encoding 
Rules (DER) data (raw binary format) or Privacy Enhanced Mail (PEM) format (binary 
converted to base 64 format). Typically when you request a certificate, the CA prompts you for 
the encoding type: DER or base 64 encoding. This may be an issue if the sender or receiver can 
support only one encoding type. The Concentrator can support both types. 


The CA can send certificates individually using identify and root certificates. You can also 
request an all-inclusive CA certificate path, PKCS#7. PKCS#7 is a message syntax that allows 
multiple certificates to be enveloped within one message (the same concept as PKZIP storing 
multiple files in a .zip file). 
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© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—8-17 


Before an identity certificate is installed, the Concentrator must validate it. The Concentrator 
checks the following to validate the identity certificate: 


m Is the identity certificate verified with the CA’s public key? 
m Has the identity certificate expired? 


m Has the identity certificate been revoked? 


When validated, the certificate is installed on the Concentrator. The identity certificate can now 
be exchanged with a peer during IPSec tunnel establishment. 
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Validating Certificates 


This topic discusses how digital certificates are validated and maintained. 


Certificate Validation 


Certificate 
General Details | certification Path | 


Show: |i 


Field 

[}version 

|serial number 0140 ADF1 0002 0000 0187 Cc tifi t | + d t + . 
[EJsignature algorithm shalRSA ertiticate validation: 
[Elissuer Basic Root, Training, Altiga, Fr... 


[= lvatid from Monday, February 11, 2002 1... e Is signed by a trusted CA 


[FE }valid to Tuesday, February 11, 2003 1... 
EJsubject student1, training, cisco, fran... 


[Eleublic key RSA (512 Bits) inal bs Has not expired 
¢ Has not been revoked 


| Copy to File... | 


Digital certificate validation is based on trust relationships within the PKI. If you trust A, and A 
says that B is valid, then you should trust B. This is the underlying premise when validating 
certificates. When enrolling into a PKI, you must first obtain and install the CA certificates on 
the Concentrator. In doing so, you implicitly establish a trust relationship where any documents 
signed by those CAs are considered to be valid. 


During Internet Key Exchange (IKE) negotiations, when an identity certificate is received from 
an IKE peer, the Concentrator validates the certificate by determining that the certificate: 


m Has been signed by a CA that is trusted (checks the signature). 
m Has not expired. 


= Has not been revoked. 
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The first step in validating a digital certificate is to validate the signature. Signature validation 


consists of the following steps: 


Step 1 At the CA, the original identity certificate is put through a hash algorithm, the output hash is 
encrypted by the CA’s private key, and the hash is appended to the end of the certificate. 


Step 2 At the remote end, there is a two-step process: 


m The receiver uses the CA’s public key to decrypt the hash. The result is the original hash 


value. 


m The received message is sent through the hash algorithm to produce a second hash. 


Step 3 The CA-generated hash and Concentrator-generated hash are compared: 
m If they match, the identity certificate is genuine. 


m= If they do not match, the certificate is invalid; there is an invalid signature or identity 


certificate. 
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Previously, it was stated that the Concentrator needs a copy of the CA’s public key to decrypt 
the hash. The question is where does the Concentrator find a copy of that key. The answer is it 
depends on the CA environment, central or hierarchical. In a central, or flat, CA, the root CA 
signs the identity certificate. The root certificate must be installed before trying to install the 
identity certificate so the Concentrator has access to the root’s public key. One of the root CA 
fields is a copy of the CA’s public key. In the example in the figure, using the public key of the 
root certificate checks the signature of Terry’s certificate. 


In a hierarchical environment, the ability to sign is delegated through the hierarchy. The top is 
the root CA; it signs certificates for subordinate CAs. The subordinate CA signs certificates for 
lower level CAs. Ultimately, a subordinate CA will sign the user’s identity certificate. The 
certificate must be validated up the chain of authority. In the example in the figure, Alex’s 
certificate is validated with the public key of the subordinate CA. The subordinate CA is 
validated with the public key of the root CA. 
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Validity Period 
ea Cisco.com 


i 2x 


General Details | Certification Path | 


+ a | 


OEB6 76C4 E265 A990 4793 9... | 
shalRSA 

Basic Root, Training, Altiga, Fr... 
Monday, February 11, 2002 7... 
Thursday, February 12, 2004... 
Basic Root, Training, Altiga, Fr... 

RSA (1024 Bits) 


Exit Properties... Copy to File... 
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The next step is to check the validation period. A certificate is valid for a specific period of time. 
The validity period (range) is set by the CA and consists of valid from and valid to fields. On the 
Concentrator, when you try to add a certificate, the validity range is compared against the system 
clock. If the system clock is not within the validity range—either too early or too late—you 
receive an error message. 
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CRL 
ey Cisco.com 


oe 


° List of revoked certificates 
, Revoked 
signed by the CA Cert 12345 


¢ Stored on the CA or CRL Cert 12241 


Distribution Point Cert 22333 


° No requirement on devices 
to ensure that CRL is 
current 


CA Sawer 


Checking the CRL is the last validation step. A CRL is a list issued by the CA that contains 
certificates that are no longer valid. CRLs are signed by the CA and are released periodically or 
on demand. CRLs are valid for a specific amount of time, depending on the CA vendor used. 
Some reasons a certificate might be invalidated are as follows: 


m User data changes (for example, the username). 
m A key is compromised. 


m= Anemployee leaves the organization. 


The CRL must be consulted by anyone using a certificate, to ensure that it is still valid. There is 
no requirement on devices to ensure that the CRL is current. 
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CRL—General 


ae Cisco.com 


Certificate Revocation List 


General | Revocation List | 


Certificate Revocation List Information 


Field 

Version 

(Elissuer Basic Root, Training, Altiga, Frankl... 
[Flerrective date Tuesday, February 26, 2002 9:03... 
[Eliext update Tuesday, March 05, 2002 9:23:45... 
(Elsignature algorithm — shalRSA 
[Fajauthority Key Ident... KeyID=4D6D 441A 6880 2963 8A... 
Falca version V2.2 
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The figure contains an example of a CRL. The CRL has two tabs: General and Revocation List. 
The general tab includes information about the CRL itself, such as the name of the CA that 
issued the list, the date the list was issued, the date of the next publication. The date of the next 
publication could be hourly, daily, weekly, and so on, as defined by the revocation list, which 
includes all the revoked certificates. The certificates are listed by certificate serial number and 
revocation date. 
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CRL—Revocation List 


a i ee ee Cisco.com 


Certificate Revocation List 7 


General Revocation List | 


Revoked certificates: 


Serial number 


Revocation date 


2x! 


6165 6904 0002 0000 0162 
616C A13E 0002 0000 0163 
0106 C3D1 0002 0000 0184 
012D 8DB9 0002 0000 0185 
0137 0244 0002 0000 0186 


;- Revocation entry 


Monday, February 18, ... 
Monday, February 18, ... 
Monday, February 18, ... 
Monday, February 18, ... 
Monday, February 18, .., 


Field 
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The figure contains an example of the CRL. The certificate serial number and revocation date 


and time are listed. 
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CRL Distribution Point Location 
al Cisco.com 


General Details | certification Path | 


Show: | <All> x 


| Walue 

Tuesday, February 11, 2003 1... 

student1, training, cisco, Fran... 

RSA (512 Bits) 
[Fa}subject Key Identifier 78D 3AFC 3568 7E11 FE93 9... 
[ajauthority Key Identifier KeyID=4D6D 441A 6880 2963... 
[Falcet Distribution Points [1JCRL Distribution Point: Distr... 
[Falauthority Information Access — [1 ]Authority Info Access: Acc... 
[FeJ thumbprint algorithm shat Ba 


[1]CRL Distribution Point 
Distribution Point Name:| 
Fuill Name: 

URL=Idap:///CN=Basic%20Root 
(2),CN=domain_remate,CN=CDP,CN=Public%20Key% 
20Services,CN=Services,CN=Configuration, DC=training, DC=altiga,DC=c 
lom?certificateRevocationList?base?objectclass=cRLDistributionPoint 


Copy to File... 
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A number of CRL-DPs are accessible from the Web. Because the Web is a large place, it is 
difficult for the Concentrator to check a particular certificate to see if it is valid or revoked. As 
part of the X.509 certificate, the CRL extension includes the CRL-DP. The CRL-DP information 
is included in the X.509 extension fields. If you double-click the CRL-DPs icon in the 
certificate, the URL of the CRL-DP is included. 
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Load and validate identity certificate 
« Exchange the identity certificates during IKE negotiations. 
* Verify the identity certificate signature via the stored root certificate. 
° Verify that the certificate validity period has not expired. 
° Verify that the identity certificate has not been revoked. 


During certificate exchange, identity certificates must be validated. Identity certificates are 
exchanged during IKE Phase | negotiation to authenticate the peers. The PC sends its identity 
certificate to the Concentrator. The Concentrator validates the certificate as follows: 


Step 1 Validate the signature. The Concentrator uses the public key stored on its root certificate to 
decrypt the identity certificates hash. The Concentrator also re-computes a hash of the received 
identity certificate. If the decrypted and re-computed hashes match, the certificate is valid. 


Step 2 Check the validity period of the certificate against the system clock of the Concentrator. If the 
Concentrator’s system clock falls within the validity period of the identity certificate, the test is 
successful. The validity range can be found on the identity certificate. 


Step 3. (Optional.) If enabled, the Concentrator locates the CRL and determines whether the identity 
certificate serial number is on the list. If present, the certificate is revoked. If absent, the 
certificate is valid. 


If the received identity certificate passes the validation process, the Concentrator authenticates 
the PC. In turn, the Concentrator sends its identity certificate to the PC. The PC performs the 
same validation process for the Concentrator’s identity certificate. 
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This topic discusses how to install digital certificates on Cisco VPN 3000 Series Concentrator. 
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For the Concentrator to participate in the certificate exchange, a certificate needs to be loaded on 
the Concentrator, which is called Concentrator certificate enrollment. There are two types of 
Concentrator certificate enrollments: 


m File based enrollment—This is a manual process. You can enroll by creating a request file, 
PKCS#10. When you have created a request file, you can either e-mail it to the CA and 
receive a certificate back, or you can access the CA’s web site and cut and paste the 
enrollment request in the area that the CA provides. When generated by the CA, identity and 
root certificates are downloaded to the PC. The certificates must then be imported onto the 
Concentrator. 


m Network-based enrollment—This is an automated process which enables you to connect 
directly to a CA via Simple Certificate Enrollment Protocol (SCEP). Complete the 
enrollment form to connect to a CA via SCEP. The Concentrator contacts the CA via SCEP 
and the CA returns a CA certificate. When the CA certificate is verified, the Concentrator 
uses SCEP to send the enrollment request to the CA, where the CA issues an identity 
certificate. The CA then returns the identity back to the Concentrator. For network-based 
enrollment to work, both the Concentrator and the CA must support SCEP. There will be 
further discussion of SCEP-based enrollment later in this lesson. 
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The Concentrator certificate manual loading process consists of the following: 


Step 1 Generate the certificate request and upload it to a CA. 
The CA generates the identity and root certificates. Each is downloaded to a PC. 


Step 2 


Step 3 The certificates are loaded onto the Concentrator. 
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Manual Enrollment—Generate a 
Certificate Request 


Cisco.com 


This section allows you to create an SSL or identity certificate request. The identity certificate request allows the VPN 3000 Concentrator 
to be enrolled into the PKI The certificate request can be sent to a CA, which will issue a certificate. The CA's certificate must be 
installed as a Certificate Authority before installing the certificate you requested. 


Choose the type of certificate request to create 


ertificate 
certificate 


Select the enrollment method for the identity certificate. To install a certificate with SCEP, the issuing CA's certificate must also be installed 
with SCEP. Click here to install a new CA using SCEP before enrolling 


ined in the cectcate r2cuest. The Ca'sceritficate nmust be wetciled as c Corttfeate Autinorisy bafre 
lease wait far the operation tn Fini 
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The first step in the Concentrator certificate manual loading process is to generate a certificate 
request. Complete the following steps to accomplish the task: 


Step 1 Choose Administration>Certificate Management>Enroll. The Enroll window opens. Click the 
Identity certificate link. The choice is between creating an SSL or identity certificate, choose 
identity certificate. 

Step 2 Choose Administration>Certificate Management>Enroll>Identity Certificate. The Identity 


Certificate window opens. Click the Enroll via PKCS10 Request (Manual) link. You can enroll 
with a CA manually via a PKCS10 or automatically via SCEP. In this instance, you choose the 


manual process. 


Step 3. Choose Administration>Certificate Management>Enroll>Identity Certificate>PKCS10. 
The PKCS10 window opens. Fill out the PKCS10 form. There is further discussion of the 
PKCS10 form later in this lesson. 
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Group Matching Policy 


aay | Cisco.com 


Subject 
CN=student! sh 
OU=training 
O=Cisco Systems 
L=Austin 


Identity =| sp-texas 
certificate |" 


Serial Number 61122D7200060000004A 
Signing Algorithm SHA1WithRSA 
Public Key Type RSA (512 bits) 
MDS Thumbprint 94:09: 19:01: 45:57:2D:94:5B:2E:SE:BC:63:B2:03:DB 
SHA] Thumbprint 39: 9F : 9B: BF :8E:FC:9D:36:31:C6:78:FE:D9:44:F8:F2:B6:D2:84:D5 
Validity 6/3/2003 at 15:43:57 to 6/3/2004 at 15:53:57 
CRL Distribution Point http //austin/CertEnroll/AUSTIN(6).crl 


Configure the policy for certificate group matching, The VPN Concentrator processes the policies in the order listed below until it finds a match, 


Group 


matching M Match Group from Rules Check to use configured niles to match a certificate to a group. 
M Obtain Group from OU Check to use the certificate OU field to determine the group 
[Base Group] Check to use a default group for certificate users. Choose the default group from the drop down 


policy 


M Default to Group |—Base Group— + 


Cancel 


menu, 
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When a certificate arrives at the concentrator during IKE phase one, the Concentrator 
authenticates the remote peer and extracts the group information from the certificate. The 
Concentrator attempts to match the extracted information with the Concentrator’s group name 
database. The group name identifies the remote user’s concentrator access privileges. If a match 
is found, the remote user is afforded the access rights and privileges of the matching group. By 
default, the Concentrator uses the OU field for group matching. Configuration-Policy 
Management-Certificate Group Matching-Policy windows enables the administrator to configure 
alternative group matching options. For example, an administrator may choose to use the 
organization and organizational unit or organizational unit and locality. 


Configuring certificate group matching consists of two steps, configure the matching policy and 
configure the rules. There are three group matching policy options to choose from: 


m= Match Group from Rules—Use the rules you have defined for certificate group matching 
(for example, organizational unit and organization). If the administrator plans to use match 
group from rules policy, define the rules before selecting the policy. 


= Obtain Group from OU—Use the organizational unit in the certificate to specify the group to 
match. This choice is enabled by default. 


m Default to Group—Use a default group or the Base Group for certificate matching. Use the 
group matching rules set up for this group. 


The Concentrator processes the policies in the order they are enabled until it finds a match. 
Group matching rules will be discussed later in this lesson. 


Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Group Matching Rules 


aE Cisco.com 


Subject Issuer 

CNe=studentl CN=AUSTIN 
OU=VSEC 
O=TRAINING 
L=AUSTIN 
SP=TX 


You can also create a rule by entering its text directly in the Matching Criterion box. If you create a rule in this way, separate the components with 
commas. Also, be sure to add double quotes around the value. If the value itself contains double quotes, replace them with two double quotes. For 
example, enter the value "Tech" Eng as: """Tech"" Eng". An example of a matching criterion is: OU="Engineeting" ISSUER-O="Cisco" 


Enable [V Check to enable the rule. 


Grow [training 3] Select the group to which this rule applies. 


Distinguished Name Operaior 


[Subject ~] [CommonName (CN) | [Equals (=) Append 
Maiching Criterion 


[OU="treining"O="Cisco” 


Add Cancel 
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The Configuration>Policy Management>Certificate Group Matching window enables an 
administrator to define rules to match an identity certificate to a permission group based on 
fields in the identity certificate. You can apply a combination of certificate fields. For a user to 
be identified as belonging to a certain group, specific fields of the received certificate must 
match the rules defined for that group. In the figure, the bottom window defines the rules. The 
top window displays a received identity certificate. In the bottom window, for a user to be 
recognized as being a member of the training group, the following rules must be met: the 
received identity certificates OU = training and O = Cisco. In the top window, the identity 
certificates OU field = training and the O field = Cisco. 


Define the rules and enable each rule for the selected group to specify a policy for group 
matching by rules. A group must already exist in the configuration before you can create a rule 
to apply to it. You can assign multiple rules to the same group. Rules assigned to the same group 
are combined and a match results when all rules test true. Also, you must configure a matching 
policy. You can define rules and matching policies in any order. 
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Twit+1CjCPepdRd4Tx8d3£USVF ikekaiCY+SL/JSzS3yKByz+bERjmB2X3 LqéngNmd 
fBdRAXXUOKS= 
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Upload the Public-Key Cryptography Standard (PKCS) #10 to the CA after the Concentrator 
generates the PKCS#10: 


Step 1 Manually copy the PKCS#10 output and paste it into the CA. The figure displays an example of 
a Microsoft CA. The process is virtually the same for the other CAs but the CA windows and 
commands will vary. 


Step 2 The CA validates the request. Validation may be automatic or may require CA administrator 
intervention. With automatic approval, the identity certificate is generated with no delay. With 
required administrator approval, the identity certificate generation is delayed until approved. The 
approval process varies by CA and company account. 


Step 3. The CA produces an identity and root certificate. 
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The CA generates the certificate when the CA approves the certificate request. The root and 
identity certificates need to be downloaded to the PC. In the figure, the Microsoft CA provides 


prompts to guide you through the process. 
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The certificates are transferred from the PC to the Concentrator. The certificates must be loaded 
in order. The root certificate is loaded first, followed by the identity certificate. 


Complete the following steps to install the root certificate: 


Choose Administration>Certificate Management>Install. The Install window opens. Click the 
Install CA certificate link. 


Choose Administration>Certificate Management>Install>CA Certificate. The CA Certificate 
window opens. Click Upload File from the Workstation. 


Choose Administration>Certificate Management>Install>CA Certificate>Upload File from 
the Workstation window and click Browse to browse to the root certificate file on the 
workstation. 


Click Install to install the root certificate. 
When the root certificate is loaded, it is validated. To be valid, the signature on the certificate 


must be valid and the certificate must not have expired. A CRL lookup is optional. By default, it 
is disabled. 


Note If you receive an expiration error when loading your root certificate, ensure that the 
Concentrator’s date and time is correctly set. 
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This section lets you view and manage certificates on the VPN 3000 Concentrator. 


e Click here to enroll with a Certificate Authority 
e Click here to install a certificate 


Certificate Authorities [View All CRL Caches | Clear All CRL Caches ] (current: 1, maxirnum: 6) 
Subject | Issuer Expiration |SCEP Issuer Actions 
|AUSTIN at TRAINING |AUSTIN at TRAINING 06/04/2005 No View | Configure | Delete 


Identity Certificates (current: 1, maximum: 2) 
Subject Tssner | Expiration Actions 
student sh at Cisco Systems [AUSTIN at TRAINING [06/03/2004 _|wiew| Renew| Delete 


SSL Certificate [Generate ] Note: The public key in the SSL certificate is also used far the SSH host 
key. 


Subject Issuer | Expiration Actions 
10.0.1.5 at Cisco Systems, Inc. 10.0.1.5 at Cisco Systems, Inc. [05/19/2006 View | Renew | Delete 


Enrollment Status [Remove AU: Errored| Timed-Out| Rejected | Cancelled| In-Progress ] (current: 0 available: 2) 
Subject | Issuer | Date | Use Reason Method Status Actions 
No Enrollment Requests 


2003, Cisco Systems, Inc. All right ed CSVPN 4.0—6-37 


The Administration>Certificate Management window displays the root certificate in the 
Certificate Authority section. Under the Certificate Authorities section, there are five fields. 
They are as follows: 


m Subject—The Common Name plus the Organization (O) in the Subject field of the 
certificate. 


m= Issuer—The Common Name plus the Organization (O) in the Issuer field of the certificate. 

m Expiration—The expiration date of the certificate. 

m SCEP Issuer—In order for an identity certificate to be available for SCEP enrollment, the 
root must first be installed via SCEP. This field indicates if the certificate is SCEP-enabled. 
The two variables are as follows: 

— Yes—This certificate was installed via SCEP. 


— No—tThis certificate was not installed via SCEP. 


™ Actions—This column allows you to manage particular certificates. The actions available 
vary with the type and status of the certificate. The following are the actions: 


— View—View details of this certificate. 


— Configure—Enable CRL checking for this CA certificate, modifies SCEP parameters, or 
enable acceptance of subordinate CA certificates. 
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— Delete—Delete this certificate from the Concentrator. Certificates cannot be deleted if 
they are in use. To remove them from use, first remove the identity certificate from any 
pre-existing Security Associations (SA). Then delete the certificate. 
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View Root Certificate 
er Cisco.com 


Subject Issuer 


CN=student] sh —-> CN=AUSTIN 
OU=training 
O=Cisco Systems 


Serial Number 61122D72000600000044 
Signing Algorithm SHA1WithRSA 
Public Key Type RSA (512 bits) 
MDS Thumbprint 84:09:19:01:45:B7:2D:94:5B:2E:5E:BC:63:B2:03:DB 
SHA1 Thumbprint 39: 9F :9B: BF :8E:FC:9D:36:31:C6:78:FE:D9:44:F8:F2:B6:D2:84:DS 
—> Validity 6/3/2003 at 15:43:57 to 6/3/2004 at 15:53:57 
CRL Distribution Point http://austin/CertEnroll/ AUSTIN(6). crl 


The Administration>Certificate Management>Certificates>View window enables the 
administrator to view the installed root certificate. The root certificate contains the following 
information: 

m Subject—Identifies the common name of the subject. 


m= Issuer—The CA or other entity (jurisdiction) that issued the certificate. 


m Issuer—Identifies the common name of the issuer. If the common name and issuer name 
match, this is a copy of the root certificate. 


= Serial Number—Identifies the certificate serial number. 


m Signing Algorithm—tThe cryptographic algorithm that the CA or other issuer used to sign 
this certificate. 


m Public Key Type—The algorithm and size of the certified public key. 


m™ Certificate Usage—The purpose of the key contained in the certificate, for example: digital 
signature, certificate signing, nonrepudiation, key or data encipherment, and so on. 


m= MDS Thumbprint—A 128-bit Message Digest 5 (MDS) hash of the complete certificate 
contents, shown as a 16-byte string. This value is unique for every certificate, and it 
positively identifies the certificate. If you question a root certificate’s authenticity, you can 
check this value with the issuer. 
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SHA1 Thumbprint—A 160-bit Secure Hash Algorithm — 1 (SHA-1) hash of the complete 
certificate contents, shown as a 20-byte string. This value is unique for every certificate, and 
it positively identifies the certificate. If you question a certificate’s authenticity, you can 
check this value with the issuer. 


Validity—The time period during which this certificate is valid. The Manager checks the 
validity against the Concentrator’s system clock, and it flags expired certificates by issuing 
event log entries. 


Subject Alternative Name (FQDN)—The FQDN for this Concentrator that identifies it in 
this PKI. The alternative name is an optional additional data field in the certificate, and it 
provides interoperability with many Cisco IOS and PIX Firewall systems in LAN-to-LAN 
connections. 


CRL Distribution Point—The DP for CRLs from the issuer of this certificate. If this 
information is included in the certificate in the proper format, and you enable CRL checking, 
you do not have to provide it on the Administration-Certificate Management-Configure CA 
Certificate window. 


Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Step 1 


Step 2 


Step 3 


Step 4 


Install Identity Certificate 


Cisco.com 


Install identity 
Choose the type of certificate to install: Certificate | certificate 


server 


Select a enrollment request to install. 


Enrollment Status 
Subject Issuer Date Use | Reason | Method Status Actions 
student] at cisco ‘NIA 02/12/2002 {ID [Initial [Manual [InProgress _|[ View| Install | Delete ] 


Choose the method of installation: 


« Cut & Paste Text 
Upload File from Workstation 


Enter the name of the identity certificate file. 


Filename [C\cerf\csvpn root cert cer 


Install Cancel | |. 


Identity certificate installation is a four-step process. The steps are as follows: 


Choose Administration>Certificate Management>Install. The Install window opens. Click the 
Install certificate obtained via enrollment link. 


Choose Administration>Certificate Management>Install certificate obtained via 
enrollment. The Install Certificate Obtained Via Enrollment window opens. Click the Install 
link in the Actions column within the Enrollment Status section. 


Choose Administration>Certificate Management>Install>Identity Certificate. The Identity 
Certificate window opens. Click the Upload File from Workstation link. 


Choose Administration>Certificate Management>Install>Identity certificate>Upload file 
from the Workstation window and click the Browse button to browse to the identity certificate 
on the PC. Click Install. 


When the identity certificate is loaded, it is validated. To be valid, the signature on the certificate 


must be valid and the certificate must not have expired. A CRL lookup is optional. By default, it 
is disabled. 


Note If you receive an expiration error when loading your identity certificate, ensure that the 
Concentrator’s date and time is set correctly. 
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Identity Certificate Installed 


Ey | Cisco.com 


This section lets you view and manage certificates on the VPN 3000 Concentrator. 


e Click here to enroll with a Certificate Authonity 
e Click here to install a certificate 


Certificate Authorities [View All CRL Caches | Clear All CRL Caches ] (current: 1, maximum: 6) 
Subject | Issuer Expiration |SCEP Issuer Actions 
|AUSTIN at TRAINING |AUSTIN at TRAINING [06/04/2005 No \Wiew | Configure | Delete 


Identity Certificates (current: 1, maximum: 2) 
Subject Tssner | Expiration Actions 
studentlsh at Cisco Systems [AUSTIN at TRAINING [06/03/2004 _[view|Renew| Delete 


SSL Certificate [Generate ] Note: The public key in the SSL certificate is also used far the SSH hast 
key. 


Subject Issuer | Expiration Actions 
10.0.1.5 at Cisco Systems, Inc. 10.0.1.5 at Cisco Systems, Inc. [05/19/2006 View | Renew | Delete 


Enrollment Status [Remove AU: Exrored| Timed-Out| Rejected | Cancelled| In-Progress ] (current: 0 available: 2) 
Subject | Issuer | Date | Use Reason Method Status Actions 
[No Enrollment Requests 
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The Administration>Certificate Management>Certificates window enables the administrator to 
view installed certificates. Under Identity Certificates, there are four fields. They are as follows: 


m Subject—The subjects Common Name plus the Organization (O) in the Subject field of the 
certificate. 


m Issuer—The issuers Common Name plus the Organization (O) in the Issuer field of the 
certificate. 


m Expiration—The expiration date of the certificate. 


™ Actions—This column allows you to manage particular certificates. The actions available 
vary with type and status of the certificate. The following are the actions: 


— View—View details of this certificate. 


— Renew—A shortcut that allows you to generate an enrollment request based on the 
content of an existing certificate. 


— Delete—Delete this certificate from the Concentrator. 


The number of enrollment requests you can make at any given time is limited to the 
Concentrator’s identity certificate capacity. Most Concentrator models allow a maximum of 20 
identity certificates. For example, if you already have 5 identity certificates installed, you will be 
able to create only up to 15 enrollment requests. The Cisco VPN 3005 Concentrator is an 
exception, supporting only 2 identity certificates. On the Cisco VPN 3005 Concentrator only, 
you can request a third certificate, even if two certificates are already installed, but the 
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Concentrator does not install this certificate immediately. First you must delete one of the 
existing certificates. Then, activate the new certificate to replace the one you just deleted. The 
Concentrator automatically deletes entries that have the status Timed out, Failed, Cancelled, or 
Error and are older than one week. 
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View Identity Certificate 
MMMM ~=~SSS*«SCOWCOmM 


Subject Issuer 
CN=student1sh CN=AUSTIN 
OU=training OU=VSEC 
O=Cisco Systems 

L=Austin 

SP=Texas 

C=US 


Serial Number 61122D7200060000004.4 
Signing Algorithm SHA1WithRSA 
Public Key Type RSA (512 bits) 


MDS5 Thumbprint 24:09:19:01:45:B7:2D:94:5B:2E:SE:BC:63:B2:03:DB 

SHAI1 Thumbprint 39:9F :9B:BF:8E:FC:9D:36:31:C6:78:FE:D9:44:F8:F2:B6:D2:84:DS 
_—_——-—Ss—s« adlidity 6/3/2003 at 15:43:57 to 6/3/2004 at 15:53:57 
CRL Distribution Point http://austin/CertEnroll/AUSTIN(6).crl 


The Administration>Certificate Management>Certificates>View window enables the 
administrator to view the installed identity certificate. The end-user certificate contains the 
following information: 


m= Issuer—Identifies the common name of the issuer (for example, Basic Root). 
m Subject—Identifies the common name of the subjects (for example, student1be). 


m Serial Number—lIdentifies the certificate serial number. This is used when revoking the 
certificate. 


m Signing Algorithm—tThe cryptographic algorithm that the CA or other issuer used to sign 
this certificate. 


m Public Key Type—The algorithm and size of the certified public key. 

m= MDS Thumbprint—A 128-bit MDS hash of the complete certificate contents, shown as a 16- 
byte string. This value is unique for every certificate, and it positively identifies the 
certificate. 

m= SHA! Thumbprint—A 160-bit SHA-1 hash of the complete certificate contents, shown as a 
20-byte string. This value is unique for every certificate, and it positively identifies the 
certificate. 

m = Validity—Defines the period of time during which the certificate is valid (for example, from 


7/23/02 to 7/23/03). 


6-42 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


# CRL Distribution Point—Identifies the location of the CRL. The CRL list can be retrieved 
and put in cache for future reference. 
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Certificate Renewal 
SS MMMM ~~ ~SCOS*#«SCisco.com—— 


Identity Certificates (current: 1, maximum: 2) 
Subject Issuer Expiration Actions 
|student1sh at Cisco Systems AUSTIN at TRAINING 06/03/2004 View| Renew| Delete 


This section allows you to re-enroll or re-key a certificate, so that the VPIN 3000 Concentrator updates its 
certificate. The certificate request can be sent to a CA, which in tum, sends back a certificate. Please wait for 
ithe operation to finish. 


Certificate studentlsh at Cisco Systems 


een en Select the type of renewal. A re-enrollment uses the same 
Renewal Type C Reck key for the certificate. A re-key generates a new key for 
eee the certificate. 


PKCS10 Request (Manual) >] Select the renewal method for this certificate. 


Enter and verify the challenge password for this certificate 
Verify Challenge ———————— request. 
Password 


Renew Cancel 
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Certificate renewal is a shortcut that allows you to generate an enrollment request based on the 
content of an existing certificate. Use this screen to re-enroll or re-key a certificate. If you re- 
enroll the certificate, the new certificate uses the same key pair as the expiring certificate. If you 
re-key the certificate, it uses a new key pair. 
m Certificate—The type of certificate you are re-enrolling or re-keying is displayed here. 
m Renewal Type radio button—Specify the type of request: 

— Re-enrollment—Use the same key pair as the expiring certificate. 

— Re-key—Use a new key pair. 
m Enrollment Method drop-down menu—Choose an enrollment method: 

— PKCS10 Request (manual)—Enroll using the manual process. 


— Certificate Name via SCEP—Enroll automatically using this SCEP CA. 


m Challenge Password field—Your CA might have given you a password as a means of 
verifying your identity. If you have a password from your CA, enter it here. 


m Verify Challenge Password field—Re-enter the challenge password you just entered. 
m Renew button—Click Renew to renew the certificate. 


m Cancel button—Click Cancel to stop the certificate renewal. 
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Configure CA—CRL Caching, Backup, 
and HTTP Support 


Cisco.com 


CRL DP 
LDAP support 


CRLs are issued by Certificate Authorities (CAs) to identify revoked certificates. A CRL-DP 
specifies the location of a CRL on a server from which it can be downloaded. In order to verify 
the revocation status, the Concentrator retrieves the CRL from the primary or one of the backup 
CRL-DPs. The Concentrator checks the peer certificate serial number against the list of serial 
numbers in the CRL. If none of the serial numbers match, it is assumed that the peer certificate 
has not been revoked. 


Since the system has to fetch and examine the CRL from a network DP, enabling CRL checking 
might slow system response times. Also, if the network is slow or congested, CRL checking 
might timeout. Enable CRL caching to mitigate these potential problems. This stores the 
retrieved CRLs in local volatile memory, thus allowing the Concentrator to verify the revocation 
status of certificates more quickly. There is more on configuring CRL-DPs and CRL caching 
later in this lesson. 
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Configuring CA Certificates 


eae ae eee | Cisco.com 


Certificate Authorities [ View All CRL Caches | Clear All CRL Caches ] (current: 1, maximum: 6) 


Subject Issuer Expiration SCEP Issuer | Actions 
AUSTIN at TRAINING |AUSTIN at TRAINING (06/04/2005 No Wiew | Configure | Delete 


CRL 
retrieval policy 
CRL 
caching 


CRL 
Distribution 
Points 


There are three sections to the Administration>Certificate Management>Configure CA 
Certificate window: CRL retrieval policy, CRL caching, and CRL-DPs. Enabling CRL checking 
means that every time the Concentrator uses the certificate for authentication, it also checks the 
latest CRL to ensure that the certificate has not been revoked. The CRL retrieval policy defines 
where to find the CRL-DP location. The choices are as follows: on a CA certificate, statically 
defined on the Concentrator, a combination of both, or disable CRL checking. 


The next section is CRL caching. Since the Concentrator has to fetch and examine the CRL from 
a network-based DP, CRL checking might slow system response times or cause the IPSec tunnel 
to fail due to IKE timeout issues. Enable CRL caching to mitigate these potential problems. CRL 
caching stores the retrieved CRLs in local volatile memory. This enables the Concentrator to 
verify the revocation status of certificates more quickly. 


The last section is configuring the location of CRL-DPs. One of the responsibilities of a CA is to 
create a database of all revoked certificates. This is referred to as a CRL. CAs locate CRLs at 
network-based DPs, or CRL-DPs. Many certificates include the location of theses CRL-DPs. If 
the CRL-DP is present in the certificate and in the proper format, you do not need to configure 
any CRL-DP fields in this window. If a CRL-DP is not present or you choose to define 
additional CRL-DPs, define the CRL-DP addresses in the Static CRL-DP window. 


There is more discussion of configuring CAs later in this lesson. 
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Configuring CRL Retrieval Policy 


Sy Cisco.com 


Certificate AUSTIN at TRAINING 


CRL Retrieval Policy 
@ Use CRL distribution points from the 
certificate being checked 


© Use static CRL distribution points 


© Use CRL distribution points from the Choose the method to use to retrieve the CRL 
certificate being checked of else use 
static CRL distribution points 


© NoCRL checking 


Certificate CRL DP Static CRL DP 


SE 2 


canoe P| 


During IKE phase | negotiation, if CRL checking is enabled, the Concentrator verifies the 
revocation status of the IKE peer certificate before allowing the IPSec tunnel to be established. 
CRLs exist on external servers maintained by CAs. The Concentrator retrieves the CRL using 
one of the available CRL-DPs and checks the peer certificate serial number against the list of 
serial numbers in the CRL to verify the revocation status. If there are no matches, the 
Concentrator assumes that the peer certificate has not been revoked. The CRL retrieval options 
are as follows: 


m Use CRL Distribution Points from the certificate being checked—The Concentrator retrieves 
up to five CRL-DPs from the CRL-DP extension of the certificate being verified. The 
Concentrator also augments the CRL-DP’s information with the configured default values, if 
necessary. If the Concentrator’s attempt to retrieve a CRL using the primary CRL-DP fails, 
the Concentrator retries using the next available CRL-DP in the list. This process continues 
until either a CRL is retrieved or the list is exhausted. 


m Use static CRL Distribution Points—Use up to five static CRL-DPs, as specified on this 


window. If you choose this option, you must enter at least one, and no more than five, static 
CRL-DPs. 


m Use CRL Distribution Points from the certificate being checked, or else use static DPs—If 
the Concentrator cannot find five CRL-DPs in the certificate, it adds static CRL-DPs, up to a 
limit of five. If you choose this option, be sure to choose a CRL-DP Protocol. If you choose 
a LDAP protocol, be sure to set the LDAP DP defaults as well. You also must enter at least 
one, and no more than five, static CRL-DPs. 


m NoCRL Checking—Do not enable CRL checking. 
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Configuring CRL Caching 


Certificate Authorities [ View All CRL Caches | Clear All CRL Caches ] (current: 1, maxirnurn: 6) 
Subject Issuer | Expiration SCEP Issuer Actions 
AUSTIN at TRAINING [AUSTIN at TRAINING [06/04/2005 | No _|view | Configure | Delete 


Certificate AUSTIN at TRAINING 


CRL Retrieval Policy 
© Use CRL distribution points from the 
certificate being checked 


@ Use static CRL distribution points 


© Use CRL distribution points trom the Choose the method to use to retrieve the CRL. 
cettificate being checked or else use 
static CRL distribution points 


© NoCRL checking 


Check to enable CRL caching, Disabling will clear CRL cache 


Enter the refresh time in minutes (5 - 1440). Enter 0 to use the Next 
Update field in the cached CRL. 


With CRL Caching enabled, when the Concentrator verifies a certificate’s revocation status, it 
first verifies whether the required CRL exists in the cache and verifies the certificate’s serial 
number against the CRL’s list of serial numbers. The certificate is considered revoked if its serial 
number is found. The Concentrator retrieves a CRL from an external server either when it does 
not find the required CRL in the cache, or when the validity period of the cached CRL has 
expired. When the Concentrator receives a new CRL from an external server, it updates the 
cache with the new CRL. 


The administrator must decide whether to enable CRL caching, and if so, what the cache refresh 
period is. The caching configuration options are as follows: 


m Enabled—Select the Enabled check box to allow the Concentrator to cache retrieved CRLs. 
The default is not to enable CRL caching. Disabling CRL caching, by deselecting the check 
box, clears the CRL cache. 


m Refresh Time—Specify the refresh time in minutes for the CRL cache. The range is 5 to 


1440 minutes; the default value is 60 minutes. Enter 0 to use the Next Update field, if 
specified, in the cached CRL. 


The total memory allocated for all combined CRL caches varies by Concentrator model and is as 
follows: 


m Cisco VPN 3005 Concentrator—Can cache up to 128 KB 


m Cisco VPN 3015 Concentrator—Can cache up to 256 MB 


m Cisco VPN 3030 Concentrator—Can cache up to 256 MB 
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m Cisco VPN 3060 Concentrator—Can cache up to 1 MB 


m Cisco VPN 3080 Concentrator—Can cache up to 1 MB 


The CRL cache exists in memory. Rebooting the Concentrator clears the CRL cache. The 
Concentrator re-populates the CRL cache with updated CRLs as it processes new peer 
authentication requests. The embedded management enables the user to delete cached CRLs 
issued by a particular CA. This will enable the user to force a CRL update to be performed with 
the next IPSec tunnel establishment attempt. 
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Configuring CRL DPs 


See | Cisco.com 
LDAP support HTTP support 


Client 


CRL Distribution Points Protocols 
B HTTP 


sign HTT! 
‘ormation, click Help) If you choose 


 LpaP a 
LDAP distsibution point defaults below. 


LDAP Distribution Point Defaulis 
Enter the hostname or IP address of the server 
Enter the port number of the server. The default port is 389, 
Enter the login DN for access to the CRL on the server. 
Paswordf SSSsS=~S~™S Enter the password for the login DN. 
veriy[ SOS Verify the password for the login DN. 
Siatic CRL Distribution Poinis 


Inttp://10.0.1.51/CertEnrol1/Aug] 


LDAP or HTTP URLs © Enter oo 2 URLs io-usetaseuieys the CRL from the server, 


© Enter each URL 


CRL Distribution Points Protocols—Choose a DP protocol to use to retrieve the CRL if the 
primary CRL-DP is unavailable. If you choose HTTP, be sure to assign HTTP rules to the public 
interface filter. If you choose LDAP, configure the LDAP DP defaults as follows: 


= LDAP Distribution Point Defaults—If you specified LDAP as the CRL-DP protocol, enter 
the following information. If the DP extension of the peer’s certificate is missing any of the 
following fields, the Concentrator enters these values: 


— Server—Enter the IP address or hostname of the CRL-DP server (LDAP server). The 
maximum field length is 32 characters. 


— Server Port—Enter the port number for the CRL server. Enter 0 (the default) to have the 
system supply the default port number: 389 (LDAP). 


— Login DN—Enter the login DN (Distinguished Name)), which defines the directory path 
to access this CRL database (for example, cn=crl, ou=certs, o=CANam, c=US). The 
maximum field length is 128 characters. 


— Password—Enter the password for the Login DN. The maximum field length is 128 
characters. 


—  Verify—Re-enter the password to verify it. The maximum field length is 128 characters. 


m Static CRL Distribution Points—Enter the HTTP or LDAP address of the external servers 
where the CRLs are located. If you chose a CRL Retrieval Policy that uses static DPs, you 
must enter at least one, but not more than five, valid URLs. Enter each URL on a single line. 
(Scroll right to enter longer values.) 


6-50 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


The following are examples of valid URLs: 
m HTTP URL: http://10.0.1.51/CertEnroll/AUSTIN.cri 
m LDAP URL: Idap://100.199.7.6:389/CN=TestCA68,CN=2KPDC,CN=CDP, CN=Public Key 


Services, CN=Services,CN=Configuration, DC=qa2000, 
DC=com?certficateRevocationList?base?objectclass=cRLDistributionPoint 
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Step 1—Check the Active IKE 


Proposal List 
ae Cisco.com 


Add, delete, prioritize, and configure IKE Proposals 


Select an Inactive Proposal and click Activate to make it Active, or click Modify, Copy or Delete as appropriate 
Select an Active Proposal and click Deactivate to make it Inactive, or click Move Up or Move Down to change its priority. 
Click Add or Copy to add a new Inactive Proposal. IKE Proposals are used by Security Associations to specify IKE parameters 


Active 
Proposals 


CiscoVPNClient3DES-MD5 
CiscoVPNClient-3DES-MD5-RSA 
IKE-3DES-MD5 
IKE-3DES-MD5-DH1 
IKE-DES-MD5 
IKE-3DES-MD5-DH? 
IKE-3DES-MD5-RSA 
CiscoVPNClient3DES-MD5-DH5 
CiscoVPNClientAES128-SHA 
IKE-AES128-SHA 
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Actions 


<< Activate 
Deactivate >> 
Move Up 

Move Down 
Add 
Modify 
Copy 
Delete 


Inactive 
Proposals 


IKE-3DES-SHA-DSA, 
IKE-3DES-MD5-RSA-DH1 
IKE-DES-MD5-DH? 

CiscoVPNClient 3DES-SHA-DSA 
CiscoVPNClient 3DES-MD5-RSA-DH5 
CiscoVPNClient 3DES-SHA-DSA-DH5 
CiscoVPNClientAES256-SHA 
IKE-AES256-SHA, 
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You must complete the following before the Client-to-LAN with digital certificates tunnel can 


be configured: 


Step 1 Check the Active Internet Key Exchange (IKE) proposal list. For Client-to-LAN with digital 
certificates to work, the Concentrator requires the use of a RSA IKE proposal. 


Step 2. Check the IKE proposal. 
Step 3 Modify or add an SA. 
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Step 2—Check the IKE Proposal 


at Cisco.com 


Modify a configured IKE Proposal. 


Proposal Name [CiscoVPNClient3DES- Specify the name of this IKE Proposal. 
Authentication Mode JRSA Digital Certificate (AUTH) | Select the authentication mode to use. 
Authentication Algorithm [MD5/HMAC-128 >] Select the packet authentication algorithm to use. 
Encryption Algorithm [3DES-168 +] Select the encryption algorithm to use. 


Diffie-Hellman Group | Group 2 (1024-bits) Select the Diffie Hellman Group to use. 
Lifetime Measurement | Tire ¥ Select the lifetime measurement of the IKE keys. 


Data Lifetime |10000 Specify the data lifetime in kilobytes (KB). 
Time Lifetime |86400 Specify the time lifetime in seconds. 


Apply Cancel 
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Check the activated RSA Internet Key Exchange (IKE) proposal to ensure that it meets the 
authentication, encryption, Diffie-Hellman (DH), and lifetime requirements. In the figure, the 
RSA IKE proposal supports the following: 

m Authentication mode—RSA digital certificates 

m Authentication algorithm—MD5 

m Encryption algorithm—3DES 


m DH group—DH group 2 


= Lifetime measurement and lifetime—Time and 86400 seconds 


Note For the IPSec Client-to-LAN applications, the authentication mode is changed from pre- 
shared keys to digital certificates. 
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Step 3—Modify or Add an SA 
ay | Cisco.com 


Save Needed) 


This section lets you add, configure, modify, and delete IPSec Security Associations (SAs). Security Associations use IKE Proposals to negotiate 
IKE parameters. 


Click Add to add an SA, or select an SA and click Modify or Delete. 
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Modify or add a Security Association (SA). The SA is a template that defines IPSec and IKE 
attributes. There are two choices: modify an existing SA, or add a new one. If you modify an 
existing SA, you change it from pre-shared keys, which is the default, to RSA signed digital 
certificates. By changing it, you may be enabling the Client-to-LAN with digital certificates 
tunnels but disabling the use of pre-shared keys for someone else. The best choice is to add an 
SA. Click Add to add an SA. 
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IPSec SA 
ee Cisco.com 


Configure and add a new Security Association. 


SA Name |RSA-3DES-MD5 Specify the name of this Security Association (SA). 
Inheritance | From Rule » Select the granularity of this SA. 


IPSec Parameters 
Authentication Algorithm [ESP/MD5/HMAC-128 >] Select the packet authentication algorithm to use. 
Encryption Algorithm [3DE5-168 >] Select the ESP packet encryption algorithm to use 
Encapsulation Mode |Tunnel >| Select the Encapsulation Mode for this SA. 
Perfect Forward Secrecy [Disebled >] Select the use of Perfect Forward Secrecy 
Lifetime Measurement [Time >] Select the lifetime measurement of the IPSec keys. 
DataLifetime [10000 2=2~SOCS~™S* Specify the data lifetime in kilobytes (KB) 
Time Lifetime [280002 Specify the time lifetime in seconds. 


IKE Parameters 
TkEPeer[0000..  _ Specify the IKE Peer for a LAN-to-LAN connection. 
Negotiation Mode [Main > Select the IKE Negotiation mode to use 
Digital Certificate [student ~~] _~—«sSeelect the Digital Certificate to use 
Certificate Transmission a ppelunie aaa Choose how to send the digital certificate to the IKE peer. 


CiscoVPNClient-3DES-MD5-RSA | Select the IKE Proposal to use as IKE initiator. 
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When adding a Security Association (SA), give the SA a descriptive name, such as RSA-3DES- 
MDS. Next, there are two sections to check: IKE and IPSec. In the IPSec parameter section of 
the window, verify the authentication, encryption, DH, and lifetime parameters. In the figure, the 


IPSec proposal supports the following: 


Authentication algorithm—MD5 
Encryption algorithm—3DES 
Encapsulation mode—Tunnel 
DH group—DH group 2 


Lifetime measurement and lifetime—Time and 28800 seconds 


Choose the IKE parameters that will be applied to this SA in the IKE Parameters section. Choose 
the correct certificate from the Digital Certificate drop-down menu to do this. In the figure, the 
student! certificate was chosen. This certificate is used during the certificate exchange. Next, 
choose CiscoVPNClient-3DES-MDS5-RSA from the IKE Parameters drop-down menu. Click 


Apply. 
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For the VPN Client to participate in the certificate exchange, a certificate needs to be loaded on 
the PC, which is called VPN Client enrollment. There are two types of VPN Client enrollment: 


m File-based enrollment—This is a manual process. You can enroll by creating a request file, 
PKCS#10. When you have created a request file, you can either e-mail it to the CA and 
receive a certificate, or you can access the CA’s web site and cut and paste the enrollment 
request in the area that the CA provides. When generated by the CA, identity and root 
certificates are downloaded to the PC. The certificates must then be imported into the 
certificate manger. 


m Network-based enrollment—This is an automated process, which enables you to connect 
directly to a CA via SCEP. Complete the enrollment form to connect to a CA via SCEP. The 
Certificate Manager uses SCEP to send the request to the CA, where the CA issues an 
identity certificate. The CA then returns both the identity and CA certificates back to the 
Certificate Manager. In order for network-based enrollment to work, both the end device and 
the CA must support SCEP. 
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You can use the Certificate Tab to enroll and manage personal certificates. Specifically, you can 
use the Certificate Tab to do the following: 


= Import certificates. 


m Manage certificates by viewing, verifying, deleting, or exporting them. 


m= Manage enrollment requests. 


Obtain personal certificates through enrollment with a CA. You can enroll automatically through 
the network or manually via a file exchange. 
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Certificate Store 


Cisco.com 


A certificate store is a 


location in your local 
file system that contains 
personal certificates. 


A certificate store is a location in your local file system that contains personal certificates. The 
major store for the VPN Client is the Cisco store, which contains certificates you have enrolled 
for through the Simple Certificate Enrollment Protocol (SCEP). Your system also includes a 
Microsoft certificate store that may contain certificates that your organization provides or that 
you have installed previously. You can manage them just like the certificates in your Cisco store, 
or you can import them to your Cisco store. New certificates obtained through enrollment or 
importing go into the Cisco store. 
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You can enroll by creating a file using the Certificate Enrollment form. Once you have created a 
request file, you can either e-mail it to the CA and receive a certificate back or you can access 
the CA's Web site and cut and paste the enrollment request in the area that the CA provides. 


Yu must choose one of the following file types: 


m Binary encoded—A base-2 PKCS10 file (Public Key Cryptography Standard; for example, 
an X.509 DER file). You cannot display a binary-encoded file. 


m Base 64 encoded—An ASCIl-encoded PKCS10 file that you can display in text format 
Choose this type when you want to cut and paste the text into the CA Web site. 


In the Filename field, enter the full pathname for the file request. 


In the New Password field, enter the password that protects this certificate. If your connection 
entry requires certificate authentication, you must enter this password each time you connect. 
The password can be up to 32 characters in length. 


Clicking Next displays page two of the enrollment request. 
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Enrollment Form 
ay Cisco.com 
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Company [0]: 
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IP Address: 
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Before you can build a certificate request, the administrator must supply some enrollment 
information. There are eight fields in the enrollment form: 


= Common Name—The unique name used for this certificate. This field is required. It will 
become the name of the certificate (for example, student1). 


m= Dept—tThe name of the department to which you belong (for example, training). This field 
correlates to the OU. For example, the OU is the same as the group name configured in a 


Concentrator. 


= Company—tThe name of the company or organization to which you belong (for example, 
Cisco). 


m= State—The name of your state (for example, Massachusetts). 

= Country—tThe two-letter country code for your country (for example, US). 
m Email—Your e-mail address (for example, asmith@cisco.com). 

m IP Address—The IP address of your system (for example, 172.26.26.1). 


= Domain—The name of the domain your system is in (for example, cisco.com). It can be a 
FQDN (for example, training.cisco.com). 


After completing the form, click Enroll. The VPN Client displays a message to let you know 
whether your request succeeded. If successful, the message contains the name of the file. 
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When an enrollment request file is generated, the enrollment request file is saved on the PC hard 
drive. You access the enrollment request file, copy its contents, and paste it into the appropriate 
window on the Microsoft CA. To do this, complete the following: 


Locate the enrollment request file on the PC. Double click the file. The file should resemble a 


Step 1 
Notepad file. 

Step 2 Select the contents of the file by selecting Edit>Select All. Copy the contents by selecting 
Edit>Copy. 

Step 3. Copy the contents of the enrollment request file into the appropriate window on the CA. Select 


the CA window and press Ctrl+V. This pastes the contents of the paste buffer into the area 
provided by the CA. The CA now creates an identity certificate. 
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From an enrollment form, the Certificate Manager creates an enrollment request. The contents of 
the request file are transferred to the CA via cut and paste. The CA issues a new identity 
certificate. After the CA generates an identity certificate, the identity and root certificates are 
downloaded to the PC. Complete the following steps to download the certificates: 


Choose an encoding scheme: DER or Base 64 encoding. Either will work and the client can 
handle both schemes. 


Select the type of download: CA certificate or CA certificate path. The CA certificate downloads 
the identity certificate only. The root certificate is downloaded next or the CA certificate path is 
selected. The CA certificate path downloads both the identity and root certificate, PKCS#7. 
Selecting the download type starts the download. 


The Save-in window opens. Choose the destination folder from the Save In drop-down menu. In 
the file name window, enter the name of the file; the default file name is certnew. Re-name the 
file to something more descriptive such as PC new_ york. Make note of the destination folder and 
file name; you will need them when the certificates are imported. Click Save. 


The Download Complete window opens. Click Close. The process is complete. The certificates 
are on the PC’s hard drive. 
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The last step is to import the identity and root certificates into the certificate store. Clicking on 
the Import button brings up the Import Certificate Window. You choose whether you are going 
to import from a file or from a Microsoft Certificate Store and browse to the appropriate file. 


The following fields are available: 


m= Import Path—The complete pathname for the certificate. You can type the name or browse 
your file system to locate the file. 


m= Import Password—This password must exactly match the password given during enrollment 
(online) or given when exported (if a file), including upper and lower case letters. For 
example, sKate8 is not exactly the same as Skate8. In online enrollment, this password is 
kept with the certificate; in file enrollment, this password is not retained. 


m New Password—The password to be stored with the certificate. Use this password to protect 
the certificate while it is in the certificate store. This password is optional but we recommend 
that you always protect your certificate with a password. 


= Confirm Password—The password that you enter here must match what you entered in the 
New Password field. 


To complete the import request, click the Import button. 
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To display a certificate, select it in the certificate store, then do one of the following: 
m Open the Certificates menu and choose View. 
m™ Click View on the toolbar above the Certificates tab. 


= Double-click the certificate. 
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File-based enrollment is a file transfer-intensive process; however, network-based enrollment is 
an automatic process, which enables you to connect directly to a CA via SCEP. Complete the 
enrollment form to connect to a CA via SCEP. The Certificate Manager uses SCEP to send the 
request to the CA, where the CA issues an identity certificate. The CA then returns both the CA 
or RA and identity certificates back to the Certificate Manager. For network-based enrollment to 
work, both the end device and the CA must support SCEP. 
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The SCEP operates between the client and the Certificate server. The certificate request process 
is always the same, but the approval process varies depending upon whether the identity 
certificate is automatically or manually approved. The approval process varies between CAs. In 
a private network where the corporation owns the CA, the approval process may be set to 
automatic: the user makes a request, the CA approves the request, and an identity certificate is 
generated. If the user is making the request of a public CA, the request may be delayed pending 
a manual approval process. The following is the SCEP process: 


m Send the CA or RA certificate request to the CA. 
m The CA returns a CA or RA certificate. 
m= The Certificate Manager: 

— Verifies the CA or RA. 

— Generates keys. 

— Generates the certificate request. 

— Sends the certificate request to the CA. 


m The CA processes the request, generates an identity certificate, and returns the identity 
certificate to the Certificate Manager. 


m Or, the CA places the request in a pending (approval) file and returns the pending message to 
Certificate Manager. 
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— The Certificate Manager will periodically send a poll to the CA. 


If the identity certificate is approved, the CA sends it to the Certificate Manager. 
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Choosing Online in the Certificate Enrollment windows allows you to request your certificates 
via the network. Network-based enrollment is an automatic process, which enables you to 
connect directly to a CA via SCEP. Fill out the enrollment form to connect to a CA via SCEP. 
The Certificate Manager uses SCEP to send the request to the CA, where the CA issues an 
identity certificate. The CA then returns both the CA and RA and identity certificates to the 
Certificate Manager. The file exchange process is automatic. For network-based enrollment to 
work, both the end device and the CA must support SCEP. 


The following fields are available: 
m CA URL—The URL or network address of the CA. This parameter is required. 
m= CA Domain—The CA's domain name. This parameter is required. 


m Challenge Password—Some CA's require a password to access their site. If such is the case 
with this CA, enter the password in the Challenge Password field. To find out the password, 
contact the CA or your network administrator. 


m New Password—The password that protects this certificate. If your connection entry 
requires certificate authentication, you must enter this password each time you connect. The 
password can be up to 32 characters in length. Passwords are case sensitive. For example, 
sKate8 and Skate8 are different passwords. 


Clicking Next displays page two of the enrollment request. 
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©) Certificate enrollment is now pending. 
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- Choose Retry from the Certificates menu. 
OR 
~ Right-click the selected certificate and choose Retry. 
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As with File based enrollment, before you can build a certificate request, the administrator must 
supply some enrollment information. There are eight fields in the enrollment form: 


= Common Name—The unique name used for this certificate. This field is required. It will 
become the name of the certificate (for example, student1). 


m= Dept—The name of the department to which you belong (for example, training). This field 
correlates to the OU. For example, the OU is the same as the group name configured in a 


Concentrator. 


= Company—tThe name of the company or organization to which you belong (for example, 
Cisco). 


m State—The name of your state (for example, Massachusetts). 

= Country—tThe two-letter country code for your country (for example, US). 
m Email—Your e-mail address (for example, asmith@cisco.com). 

m IP Address—The IP address of your system (for example, 172.26.26.1). 


= Domain—The name of the domain your system is in (for example, cisco.com). It can be a 
FQDN (for example, training.cisco.com). 


To complete the enrollment, click Enroll. (Or to edit the form click Back). 


What happens next depends on your CA. 
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m Some CAs provide an immediate response. If so, you see a message that your enrollment 
succeeded. You can view and manage the certificate under the Certificates tab. 


m Ifthe enrollment status is Request pending, your CA does not immediately approve your 
request. You see a status pending pop up window. 
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Summary 


This topic summarizes what you learned in this lesson. 


Summary 
ae a ee | Cisco.com 


Digital certificates bind a person or entity to a 
private key. 


The Cisco VPN Client and Concentrator create PKCS #10s. 
PKCS #10s are sent to the CA to be verified. 

The CA issues VPN Client and Concentrator X.509 certificates. 
Certificates are loaded on the VPN Client and Concentrator. 
Certificates are exchanged during IKE negotiations. 


Certificates are validated by the receiving device. 
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Lab Exercise—Configure the Cisco VPN 3000 
Series Concentrator for Remote Access Using 
Digital Certificates 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


Your task in this lab exercise is to install and configure the Cisco Virtual Private Network (VPN) 
Client and the Cisco VPN 3000 Series Concentrator to enable Internet Protocol Security (IPSec) 
encrypted tunnels using digital certificates. In this lab exercise, you will work with your lab 
exercise partner to complete the following tasks: 

m= Complete lab exercise setup. 

= Return the Concentrator to factory settings. 

m Configure the Concentrator private interface using the CLI. 

m= Configure the Concentrator public interface using the CLI. 

= Configure the Concentrator default gateway using the CLI. 

= Configure the Concentrator using the Cisco VPN 3000 Concentrator Series Manager. 

m Modify the Concentrator public filter. 

m Enable the Concentrator public filter. 

m™ Generate the PKCS#10 certificate request. 

m Send the PKCS#10 certificate request to the certificate server. 

= Download a new identity certificate to the student PC. 

m™ Generate a root certificate and download it to the student PC. 

m= Load the root certificate into the Concentrator. 

m Load the identity certificate into the Concentrator. 


m Activate the Concentrator IKE proposal. 


m Modify the Concentrator Security Associations. 
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m Verify the Concentrator IPSec Client-to-LAN group parameters. 

m Create a certificate request on the Cisco VPN Client. 

m= Copy the request file to the paste buffer. 

= Copy PKCS#10 to the certificate server. 

= Download the Cisco VPN Client identity certificate. 

m Retrieve the Cisco VPN Client root certificate. 

m= Import the Cisco VPN Client root certificate into the certificate store. 
m= Import the Cisco VPN Client identity certificate into the certificate store. 
™ Configure the Cisco VPN Client for digital certificates. 

m Launch the Cisco VPN Client. 

m Configure the certificate manager for network-based certificates. 

m Create a new Cisco VPN Client connection record. 

m Launch the Cisco VPN Client. 

m Configure DN matching rules. 

m Launch the Cisco VPN Client. 

m Launch the Cisco VPN Client. 


m Return the Cisco VPN Client and Concentrator to pre-shared keys. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 
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172.26.26.P 


Cisco PC 
VPN Client 


Scenario 


Your company wants you to implement a VPN using remotely located Cisco VPN Clients 
terminating at centrally located Concentrators. You must configure both the remote Cisco VPN 
Clients and the Concentrators for remote access using digital certificates for authentication. 


Task 1—Complete Lab Exercise Setup 


Before starting this lab exercise, verify your equipment is setup as follows: 
m Ensure that your student PC is powered on. 
m Ensure that your student IP addresses are configured correctly: 


— Primary IP address—172.26.26.P 
(where P = pod number) 


— Default gateway IP address—172.26.26.150 
m Ensure that your Concentrator is powered on. 
m Ensure you can ping the certificate server, 172.26.26.51. 
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Task 2—Return the Concentrator to Factory Settings 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


The instructor will provide you with procedures to access the Concentrator’s console port, as this 
procedure will vary according to your connectivity. After accessing the Concentrator’s console 
port, the Concentrator prompt will appear. Complete the following steps to return the 
Concentrator to the factory settings: 


Note This procedure assumes that Windows 2000 is already running on the student PC. 


Log in to the Concentrator’s command line interface (CLI) using the administrator account: 


Login: admin 


Password: admin 


Caution If you get a Quick prompt for the system time and date parameters, the device has already 
been rebooted to factory defaults. Proceed directly to Task 3. 


Access the Administration menu: 

Main -> 2 

Access the System Reboot menu: 

Admin -> 3 

Access the Schedule Reboot menu: 

Admin -> 2 

Select Reboot ignoring the Configuration file: 
Admin -> 3 

Select Reboot Now: 

Admin -> 2 


The Reboot scheduled immediately message appears, followed by the Rebooting VPN 3000 
Concentrator Series now message. Do not attempt to log in to the first login prompt you see as it 
takes several moments for the Concentrator to complete the reboot function. A login prompt 
appears when the reboot is complete. 


Leave the Command Prompt window open. 


Task 3—Configure the Concentrator Private Interface Using the CLI 


Step 1 


Complete the following steps to configure the Cisco VPN 3000 Series Concentrator private local 
area network (LAN) interface using the CLI quick configuration mode. This procedure assumes 
that the CLI session is still active. If it is not active, follow steps 1-7 of Task 2 before 
proceeding. 


Log in to the Concentrator’s CLI using the administrator account and complete the following 
actions, starting from the CLI top-level menu: 


Login: admin 
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Password: admin 


When an administrator reboots a Concentrator, as in the previous task, CLI menus open in a 
slightly different order. If you get the Quick prompt for the system parameters, press Enter 
through the time, date, time zone, DST prompts. Complete the following steps: 


Step 2 Enter the Concentrator’s private interface IP address: 


Quick Ethernet 1 -> [0.0.0.0] 10.0.P.5 
(where P = pod number) 


Step 3 Enter the Concentrator’s private interface subnet mask: 
Quick Ethernet 1-> [255.0.0.0] 255.255.255.0 

Step 4 Accept the default Ethernet speed of 10/100 Mbps Auto Detect: 
Quick Ethernet 1-> [3] <Enter> 

Step 5 Accept the default duplex mode of Half/Full/Auto: 
Quick Ethernet 1-> [1] <Enter> 


Step 6 Accept the default maximum transmission unit (MTU) size: 


Quick Ethernet 1-> [1500] <Enter> 
Step 7 Save changes to the configuration file: 
Quick -> 3 
Step 8 Exit the CLI: 
Quick -> 5 


If you do not exit, the CLI continues its quick configuration script. You will use the standard 
CLI menus for the remaining parameters. 


Step 9 Leave the command prompt window open. 


Task 4—Configure the Concentrator Public Interface Using the CLI 


Complete the following steps to configure the Concentrator’s public interface: 


Step 1 Log in to the Concentrator’s CLI using the administrator account and complete the following 
actions starting from the CLI top-level menu: 


Login: admin 


Password: admin 

Step 2 Select the Configuration menu: 
Main -> 1 

Step 3 Select the Interface Configuration menu: 
Config -> 1 

Step 4 Select the Configure Ethernet #2 (Public) menu: 
Interfaces -> 2 


Step 5 Select the Interface Setting menu: 
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Step 6 


Step 7 


Step 8 


Step 9 


Step 10 


Step 11 


Step 12 


Step 13 


Ethernet Interface 2 -> 1 
Accept the default setting of Enable using Static IP Addressing: 
Ethernet Interface 2 -> [3] <Enter> 


Enter the Concentrator’s public interface IP address: 


Ethernet Interface 2 -> [0.0.0.0] 192.168.P.5 

(where P = pod number) 

Accept the default setting for the subnet mask: 

Ethernet Interface 2 -> [255.255.255.0] <Enter> 

Several messages appear indicating the condition of the Ethernet #2 (public) interface. 
Select the Select IP Filter menu: 

Ethernet Interface 2-> 3 

Select 0 (no filter) on the Ethernet #2 (public) interface: 

Ethernet Interface 2 -> [Public (Default)] 0 


In this lab exercise, you disable filtering on the public LAN interface to allow access to the 
HTTP-based Cisco VPN 3000 Concentrator Series Manager from your student PC. Never select 
0 (no filter) in a live network, as this could facilitate a security breach. 


Return to the top-level menu: 
Ethernet Interface 2 ->h 

Save changes to the configuration file: 
Main -> 4 


Remain logged in to the CLI and leave the Command Prompt window open. 


Task 5—Configure the Concentrator Default Gateway Using the CLI 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Complete the following steps to set the Concentrator’s default gateway parameter to the IP 
address of the perimeter router, starting from the CLI top-level menu: 


Select the Configuration menu: 

Main -> 1 

Select the System Management menu: 
Config -> 2 

Select the IP Routing menu: 

System -> 4 

Select the Default Gateways menu: 
Routing -> 2 


Select the Set Default Gateway menu: 


Routing -> 1 


Enter the perimeter router IP address: 
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Routing -> 192.168.P.1 

(where P = pod number) 
Step 7 Select the Set Default Gateway Metric menu: 
Routing -> 2 
Step 8 Accept the Default Gateway Routing Metric of 1: 
Routing -> [1] <Enter> 


Step 9 Return to the top-level menu: 


Routing ->h 
Step 10 Save changes to the configuration file: 
Main -> 4 


Step 11 Exit the CLI session: 


ain -> 6 


Step 12 Close the Command Prompt window. 


Task 6—Configure the Concentrator Using the Cisco VPN 3000 
Concentrator Series Manager 


Earlier you configured both the private and public interfaces using the CLI feature of the 
Concentrator. Complete the following steps to finish the configuration using the Cisco VPN 
3000 Concentrator Series Manager. 


Note This procedure assumes that Windows 2000 is already running on the student PC. 


Step 1 Launch Internet Explorer by double-clicking the desktop icon. 


Step 2 Enter the Concentrator’s public interface IP address of 192.168.P.5 in the Internet Explorer 
Address field (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 
Concentrator Series Manager. 


Step 3 Log in to the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 


Login: admin 


Password: admin 
The username (login) and password are always case sensitive. 
Step 4 Inthe main window, click click here to start Quick Configuration. 
Step 5 Complete the following steps starting from the Configuration>Quick>IP Interfaces window: 


1. Verify the IP addresses of Ethernet | (10.0.P.5) and Ethernet 2 (192.168.P.5), which you 
configured via CLI. 
(where P = pod number) 


2. Click Apply if you have made changes to either Interface | or 2; otherwise click Continue. 


Step 6 Complete the following sub-steps starting from the Configuration>Quick>System Info window: 
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1. Enter podP in the System Name field. 
(where P = pod number) 


Your instructor will provide you with the values to complete the following table: 


Parameter Value 


Time (Hour:Minute:Second 
AM/PM) 


(for example, 2:45:00 PM) 
Date (Month/Day/Year) 
(for example, July/6/2001) 


Time Zone (offset in hours from 
GMT) 


(for example, (GMT-—05:00) EST) 
Enable DST Support? (circle one) | SELECT DE-SELECT 


2. Enter the correct time, date, and time zone from the previous table. 

3. Select or de-select the Enable DST Support check box from the previous table. 
4. Leave the DNS server IP address set to 0.0.0.0. 

5. Enter cisco.com in the Domain field. 

6. Leave the perimeter router IP address in the Default Gateway field. 

7. Click Continue. 


Step 7 Complete the following sub-steps starting from the Configuration>Quick>Protocols window: 


1. De-select the PPTP check box. 
2. De-select the L2TP check box. 
3. Select the IPSec check box. 

4. Click Continue. 


Step 8 Complete the following sub-steps starting from the Configuration>Quick>Address Assignment 
window: 


1. Select DHCP. 


2. Enter a DHCP server IP address in the Specify Server field: 10.0.P.10. 
(where P = pod number) 


3. Click Continue. 


Step 9 Complete the following sub-steps starting from the Configuration>Quick> 
Authentication window: 


1. Select Internal Server from the Server Type drop-down menu. 
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2. Click Continue. 


Step 10 Complete the following sub-steps starting from the Configuration>Quick>User Database 
window: 


These entries are all case-sensitive. Use lower case. 


1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Enter studentP in the Verify field. 
(where P = pod number) 


4. Click Add to add the new user to the database. 
5. The new username should appear in the Current Users list box. 
6. Click Continue. 
Step 11 Complete the following sub-steps starting from the Configuration>Quick>IP Sec Group window: 
These entries are all case-sensitive and must be entered in lower case. 
1. Enter training in the Group Name field. 
2. Enter training in the Password field. 
3. Enter training in the Verify field. 
4. Click Continue. 


Step 12 Click Continue from the Configuration>Quick>Admin Password window. 


Normally you would change your password, but for lab consistency, leave the password at the 
default value. 


Step 13 Complete the following sub-steps starting from the Configuration>Quick>Done window: 


1. Click the Save Needed icon (in the upper right of the window). The Save Successful 
window opens. 


2. Click OK and leave the Internet Explorer window open. 


Task 7—Modify the Concentrator Public Filter 


Filtering must be enabled on the Concentrator’s public interface to allow the Cisco VPN Client 
to connect to the Concentrator. By definition, the public (default) filter permits only tunnel and 
Internet Control Message Protocol (ICMP) traffic to pass through the interface. This filter 
excludes any HTTP traffic from your student PC. For this lab exercise, the public filter can be 
modified to permit HTTP traffic to travel both inbound and outbound. Complete the following 
steps to configure and monitor the Concentrator from the public side of the network: 
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Step 1 


Step 2 
Step 3 
Step 4 
Step 5 
Step 6 
Step 7 


Step 8 


Note This is for lab exercise purposes only. For security reasons, HTTP In and Out should never be 
enabled on the public interface in a production environment. 


From the Configuration menu tree, drill down to Policy Management>Traffic Management> 
Filters. 


Choose the Public (default) filter from the Filter list. 

Click Assign Rules to Filter within Actions. 

Choose Incoming HTTP In (forward/in) from the Available Rules list. 
Click Add. 

Choose Incoming HTTP Out (forward/out) from the Available Rules list. 
Click Add. 

Click Done. 


Task 8—Enable the Concentrator Public Filter 


Step 1 
Step 2 
Step 3 
Step 4 
Step 5 


Filtering must be enabled on the public interface to allow the Cisco VPN Client to connect to the 
Concentrator. Earlier you temporarily set the public interface filter to 0 (none) so you could 
configure the Concentrator via HTTP. Complete the following steps to configure the public 
interface filter: 

From the Configuration menu tree, drill down to Interfaces>Ethernet 2 (Public). 

Select the General tab. 

Choose Public (default) from the Filter drop-down menu. 

Click Apply. 


Click the Save Needed icon to save your configuration changes. 


Task 9—Generate the PKCS#10 Certificate Request 


Step 1 


When using the Cisco VPN Client for remote access with digital certificates, IPSec establishes a 
secure tunnel. During the IPSec tunnel establishment process, the Concentrator and the Cisco 
VPN Client must exchange digital certificates. Before digital certificates can be exchanged, a 
digital certificate must be loaded into both the Cisco VPN Client and the Concentrator. The next 
few tasks will lead you through the process of loading a digital certificate into the Concentrator. 
Complete the following steps to create a Concentrator generated certificate request form: 


From the Administration menu tree, drill down to Certificate Management. View the Identity 
Certificates and Certificate Authorities sections of the window. If there are Identity and Root 
certificates present, complete the following sub-steps to delete them. (Otherwise continue on 
with the next step.) 


1. Click Delete from the Identity Certificates Actions column. The Administration>Certificate 
Management>Delete window appears. 


2. Click Yes. The Administration>Certificate Management window appears. 
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Step 2 


Step 3 


Step 4 


Step 5 


3. Click Delete from the Certificate Authority Actions column. The Administration> 
Certificate Management>Delete window appears. 


4. Click Yes. The Administration>Certificate Management window appears. 


Select Click here to enroll with a Certificate Authority. The Administration> Certificate 
Management>Enroll window appears. 


Select Identity certificate. The Administration>Certificate Management> Enroll>Identity 
Certificate window appears. 


Select Enroll via PKCS10 Request (Manual). The Administration>Certificate Management 
>Enroll>Identity Certificate>PKCS 10 window appears. 


Complete the following sub-steps to fill out the enrollment form: 


1. Enter a common name: studentPX. 
(where P = pod number, and X = your first and last initials) 


2. Enter an organizational unit: training. 

The Concentrator uses this as the group password. This parameter must match end-to-end. 
3. Enter an organization: Cisco Systems. 

4. Enter a locality: Austin. 

5. Enter a state/province: Texas. 

Do not abbreviate the state/province name. 

6. Enter a country: US. 

7. Leave subject alternative name fields blank. 

8. Select a key size: RSA 512 bits. 


9. Click Enroll. After a moment, a new Internet Explorer window opens containing the 
certificate request. Leave the Internet Explorer window open and proceed to the next task. 


Task 10—Send the PKCS#10 Certificate Request to the Certificate 


Server 


Step 1 


The certificate request must be sent to the certificate server so an identity certificate can be 
generated. The transport method used in this lab exercise is to perform a copy and paste 
function. First, you will copy the certificate request generated by the Concentrator and then you 
will paste the certificate request directly into the certificate server via a web interface. Complete 
the following steps to send the PKCS#10 certificate request to the certificate server: 


Return to the Internet Explorer window containing the PKCS#10 and complete the following 
sub-steps: 


1. Select Edit>Select all. The contents of the PKCS#10 are highlighted. 


2. Select Edit>Copy. The contents of the PKCS#10 are copied to the student PC’s paste 
buffer. 
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Step 2 


Step 3 
Step 4 


Step 5 
Step 6 
Step 7 


Step 8 
Step 9 


3. Close the Internet Explorer window containing the PKCS#10. 


Return to the Cisco VPN 3000 Concentrator Series Manager window and complete the following 
sub-steps: 


1. Drill down to File Management from the Administration menu tree. 


2. Verify that anew PKCSOOON.TXT file exists. 
(where N = any integer) 


3. Locate the PKCSOOON.TXT row and click View. A new Internet Explorer window opens, 
displaying a copy of the PKCS#10. 
(where N = any integer) 


4. Close the new Internet Explorer window. 


Logout of the Concentrator. Do not close the Internet Explorer window. 


Enter a certificate server IP address, 172.26.26.51/certsrv, in the Internet Explorer Address field. 
The Microsoft Certificate Services window opens. 


Note You need to append /certsrv to the certificate server IP address (for example, 
172.26.26.51/certsrv). 


Select Request a Certificate from the menu and click Next. 
Select Advanced Request from the menu and click Next. 


Select Submit a certificate request using base 64 encoded PKCS#10 file or a renewal 
request using a base64 encoded PKCS #7 file from the Advanced Certificate Requests menu 
and click Next. 


Press Ctrl>v to paste the PKCS#10 contents into the Saved Request box. 


Click Submit. The certificate issued window opens. Remain logged in to the certificate server 
and proceed to the next task. 


Task 11—Download a New Identity Certificate to the Student PC 


Step 1 
Step 2 
Step 3 
Step 4 


In the previous task, the certificate request was pasted into the certificate server and the 
certificate server issued the identity certificate. Complete the following steps to download the 
identity certificate to your student PC: 


Select Base 64 encoded from the Certificate Issued window. 

Click Download CA Certificate. The File Download window opens. 

Select Save this file to disk and click OK. The Save As window appears. 

Complete the following sub-steps from the Save As window: 

1. Click Save in: from the drop-down menu and search for the Certs folder. Select the Certs 


folder. 


2. Entera file name in the File Name field: ID cert X. 
(where X = your first and last initials) 
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3. Click Save. The Download Complete window opens. 


Step 5 Click Close. 


Step 6 Click Home in the upper right portion of the window of the Microsoft Certificate Services 
window. The Welcome window opens. Leave the Welcome window open and proceed to the 
next task. 


Task 12—Generate a Root Certificate and Download it to the Student 
PC 


In the prior task, the identity certificate was downloaded to the student PC. Complete the 
following steps to retrieve a root certificate and load it on the student PC: 

Step 1 Select Retrieve the CA certificate or certificate revocation list. 

Step 2 Click Next. The Retrieve the CA Certificate or Certificate Revocation List window opens. 


Step 3. Highlight the current CA certificate. (If you are unsure of which CA certificate is the current CA 
certificate, ask the instructor for help.) 


Step 4 Select Base 64 encoded. 
Step 5 Click Download CA Certificate. The File Download window opens. 
Step6 Select Save this file to disk and click OK. The Save As window opens. 
Step 7 From the Save As window, complete the following sub-steps: 
1. Click Save in: drop-down menu and search for the certificates folder. Select the Certs 


folder. 


2. Entera file name in the File Name field: root cert X. 
(where X = your first and last initials) 


3. Click Save. The Download Complete window opens. 


Step 8 Click Close. The root certificate is installed on your student PC. Leave the Internet Explorer 
window open and proceed to the next task. 


Task 13—Load the Root Certificate Into the Concentrator 
Complete the following steps to load the Root certificate into the Concentrator: 


Step 1 Enter the Concentrator’s public interface IP address in the Internet Explorer address field: 
192.168.P.5 (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 
Concentrator Series Manager. 


Step 2 Log in to the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 
Login: admin 
Password: admin 


Step 3 Drill down to Certificate Management from the Administration menu tree. Select Click here to 
install a CA certificate. The Administration>Certificate Management>Install>CA Certificate 


window opens. 


Step 4 Select Upload File from Workstation. The Administration>Certificate 
Management>Install>CA Certificate>Upload File from workstation window opens. 
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Step 5 
Step 6 
Step 7 


Step 8 
Step 9 


Click Browse. The Choose file window opens. 
From the Choose file window, locate the root certificate in the student PC’s Certs folder. 


Highlight the root certificate file and click Open. The Administration>Certificate 
Management>Install>CA Certificate>Upload File from workstation window opens. 


Click Install. The Administration>Certificate Management window opens. 


Choose the Certificate Authorities section and complete the following sub-steps: 


1. Under the Actions column, click View and answer the following questions: 


Ql) — Under Subject, what is the CN? 


A) 


Q2) — Under Issuer, what is the CN? 


A) 


Q3) What signing algorithm was used? 


A) 


Q4) — What was the public key type? 


A) 
Q5) — What are the validity dates? 


A) 


2. Click Back. The Root certificate was successfully installed. 


Task 14—Load the Identity Certificate into the Concentrator 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 
Step 6 
Step 7 


Step 8 


Complete the following steps to load the Identity certificate into the Concentrator: 


From the Administration>Certificate Management window, select Click here to install a 
certificate. The Administration>Certificate Management>Install window appears. 


Select Install certificate obtained via enrollment. The Administration>Certificate 
Management>Install certificate obtained via enrollment window opens. 


Under the Actions column, select Install. The Administration>Certificate Management>Install> 
Identity Certificate window opens. 


Select Upload file from workstation. The Administration>Certificate Management> 
Install>Identity Certificate>Upload from workstation window opens. 


Click Browse. The Choose file window opens. 
From the Choose file window, locate the identity certificate in the student PC’s Certs folder. 


Highlight the identity certificate file and click Open. The Administration>Certificate 
Management>Install>Certificate>Upload File from workstation window opens. 


Click Install. The Administration>Certificate Management window opens. A new identity 
certificate is present under the Identity Certificate section. 
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Step 9 


Step 10 


Choose the Identity Certificate section. Under the Actions column, click View and answer the 
following questions: 


Q6) Under Subject, what is the CN? 


A) 
Q7) — Under Issuer, what is the CN? 


A) 


Q8) What signing algorithm was used? 


A) 


Q9) What was the public key type? 


A) 
Q10) What are the validity dates? 


A) 


Click Back. Remain logged into the Concentrator, leave the Internet Explorer window open, and 
proceed to the next task. 


Task 15—Activate the Concentrator IKE Proposal 


Step 1 


Step 2 
Step 3 
Step 4 
Step 5 


Step 6 


Step 7 


Step 8 


By default, there are no digital certificate IKE proposals listed in the Concentrator under the IKE 
Active Proposals column. Complete the following steps to activate a digital certificate IKE 
proposal: 


From the Configuration menu tree, drill down to System>Tunneling Protocols> IPSec>IKE 
Proposals. 


Select the CiscoVPNClient-3 DES-MDS5-RSA proposal in the Inactive Proposals list. 
Click Activate. 

Select the CiscoVPNClient-3 DES-MDS5-RSA proposal in the Active Proposals list. 
Select Modify and complete the following sub-steps: 

1. Verify the authentication mode is set to: RSA Digital Certificate (XAUTH). 


2. Verify the authentication algorithm is set to: MD5/HMAC-128. 
3. Verify the encryption algorithm is set to: 3DES-168. 
4. Verify the Diffie-Hellman Group is set to: Group2 (1024-bits). 


Click Apply. 


Select the CiscoVPNClient-3 DES-MDS5-RSA proposal in the Active Proposals list. Under the 
Actions column, click Move Up. Click Move up until the CiscoVPNClient-3 DES-MD5-RSA 
proposal is at the top of the Active Proposals list. 


Save your configuration changes. 
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Task 16—Modify the Concentrator Security Associations 


Step 1 


Step 2 


Step 3 


Security Associations (SAs) define the IKE and IPSec parameters that are negotiated when the 
IPSec remote access tunnel is established. Since we are migrating from a pre-shared key 
exchange to a digital certificate exchange, a digital certificate IKE template needs to be applied 
to the negotiation. Complete the following steps to add a digital certificate SA: 


From the Configuration menu tree, drill down to Policy Management>Traffic Management> 
SAs. The Configuration>Policy Management>Traffic Management>Security Associations 
window opens. 


Click Add under the Actions column. The Configuration>Policy Management>Traffic 
Management>Security Associations>Add window opens. 


Complete the following sub-steps: 
1. Enter in the SA Name field: ESP-3DES-MD5-RSA. 


2. Inthe IKE Parameters section of the window, select studentPX from the Digital Certificate 
drop-down menu. 
(where P = pod number, and X = your first and last initials) 


3. Choose CiscoVPNClient-3DES-MDS5-RSA from the IKE proposal drop-down menu. 


4. Click ADD. 


Task 17—Configure the Concentrator IPSec Client-to-LAN Group 
Parameters 


Step 1 


Step 2 


Step 3 
Step 4 
Step 5 
Step 6 
Step 7 
Step 8 


In the previous task, a pre-shared keys SA was configured for the training remote access group. 
In this task, the new digital certificate SA is assigned to the training remote access group. 
Complete the following steps to modify the group IPSec SA parameter: 


From the Configuration menu tree, drill down to User Management>Groups. The 
Configuration>User Management>Groups window opens. 


Select training (Internally Configured) and click Modify Group. The Configuration>User 
Management>Groups>Modify training window opens. 


Select the IPSec tab. 

Choose the IPSec SA from the drop-down menu: ESP-3DES-MD5-RSA. 
Click Apply. 

Save your configuration changes. 

Log out of the Concentrator. 


Close Internet Explorer. 


Task 18—Create a Certificate Request on the Cisco VPN Client 


In previous tasks, you created and loaded an identity and root certificate on the Concentrator. In 
the next few steps, you will create and load an identity and root certificate on the Cisco VPN 
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Step 1 


Step 2 
Step 3 
Step 4 
Step 5 


Step 6 


Step 7 
Step 8 
Step 9 


Step 10 
Step 11 


Client. In this task, you will generate a certificate request. Complete the following steps to create 
a certificate request for the Cisco VPN Client: 


Choose Start>Programs>Cisco Systems VPN Client>VPN Client. The Cisco VPN Client 
window opens. 


Select the Certificates tab. 

Click Enroll. The Certificate Enrollment window opens. 
Select an enrollment type of File. 

Select a file type: Base 64. 


Enter a file name in the Filename field: requestPX. 
(where P = pod number, and X = your first and last initials) 


Leave the Password field blank. 
Click Next. The Certificate Enrollment window opens. 
Complete the enrollment form using the following sub-steps: 


1. Entera Common Name: studentPX. 
(where P = pod number, and X = your first and last initials) 


2. Enter a Department Name: training. 
3. Enter a Company: Cisco. 
4. Leave all other fields blank. 


Click Enroll. The Creation of the Enrollment Request File was Successful window opens. 


Click OK. 


Task 19—Copy the Request file to the Paste Buffer 


Step 1 
Step 2 


Step 3 
Step 4 
Step 5 
Step 6 


Complete the following steps to make a copy of the request: 


Open the C:\Program Files\Cisco Systems\VPN Client folder. 


Double-click the request PX file and open it using Notepad. The file opens in a Notepad 
window. 
(where P = pod number, and X = your first and last initials) 


Choose Edit>Select All. The contents of the request file are highlighted. 
Select Edit>Copy. 

Close the Notepad window. 

Close the C:\Program Files\Cisco Systems\VPN Client folder window. 


Task 20—Copy PKCS#10 to the Certificate Server 


Step 1 
Step 2 


Complete the following steps to paste the PKCS#10 into the certificate server: 


Launch Internet Explorer by double-clicking the desktop icon. 


Enter a certificate server IP address (172.26.26.51/certsrv) in the Internet Explorer Address 
field. The Microsoft Certificate Services window opens. 
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Step 3 
Step 4 
Step 5 
Step 6 


Step 7 


Step 8 
Step 9 
Step 10 


Note When connecting to the certificate server, you need to append /certsrv to the certificate server 


IP address (for example, 172.26.26.51/certsrv). 


Click Request a Certificate under Select a Task. 

Click Next. 

Select Advanced Request under Choose Request Type. 
Click Next. 


Click Submit a certificate request using a base 64 encoded PKCS#10 file or a renewal 
request using a base64 PKCS#7 file under Advanced Certificate Requests. 


Click Next. The Submit a Saved Request window opens. 
Use the Ctrl>V keys to paste the contents of the new certificate into the Saved Request box. 


Click Submit. The Certificate Issued window opens. Do not close the Certificate Server window. 
Proceed to the next task. 


Task 21—Download the Cisco VPN Client Identity Certificate 


Step 1 
Step 2 
Step 3 
Step 4 
Step 5 
Step 6 


Step 7 
Step 8 
Step 9 


In the previous tasks, the Cisco VPN Client certificate request was pasted into the certificate 
server and the certificate server issued the Cisco VPN Client identity certificate. Complete the 
following steps to download the Cisco VPN Client identity certificate to the student PC: 
Select Base 64 encoded in the Certificate Issued window. 

Select Download CA certificate. The File Download window opens. 

Select Save this file to disk. 

Click OK. The Save As window opens. 

Select the save in folder: Certs. 


Enter a file name: client ID cert X. 
(where X = your first and last initials) 


Click Save. The Download Complete window opens. 
Click Close. The Certificate Issued window opens. 


Click the certificate server located in the upper right portion of the window: Home. The 
Welcome window opens. Leave the Internet Explorer window open and proceed to the next task. 


Task 22—Retrieve the Cisco VPN Client Root Certificate 


Step 1 
Step 2 
Step 3 


Step 4 


Step 5 


Complete the following steps to retrieve the root certificate from the Certificate Authority (CA) 
and load it on the student PC: 

Select Retrieve the CA Certificate or certificate revocation list. 

Click Next. The Choose file to download window opens. 


Highlight the current CA certificate. (If you are unsure of which CA certificate is the current CA 
certificate, ask the instructor for help.) 


Select Base 64 encoded. 
Click Download CA Certificate. The File Download window opens. 
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Step 6 
Step 7 
Step 8 


Step 9 


Select Save this file to disk. 
Click OK. The Save As dialog box opens. 
Click Browse and search for the Certs folder. Select the save in folder: Certs. 


Enter a file name: client root X. 
(where X = your first and last initials) 


Step 10 Click Save. The Download Complete window opens. 


Step 11 


Click Close. 


Step 12 Close Internet Explorer. 


Task 23—Import the Cisco VPN Client Root Certificate into the 
Certificate Store 


Step 1 


Step 2 
Step 3 


In previous tasks, identity and root certificates were generated and then downloaded to the 
student PC. Complete the following steps to import the client root certificate into the certificate 
store on the student PC: 


If the Cisco VPN client is not open, choose Start>Programs>Cisco Systems VPN Client>VPN 
Client. 


Select the Certificates tab. 


Click Import and complete the following sub-steps within the VPN Client>Import Certificate 
window: 


1. Select the Import from File button. 
2. Click Browse. The Open window opens. 
3. Look in the Certs folder. 


4. Select client root X. 
(where X = your first and last initials) 


5. Click Open. The Import Certificate>Source window opens. 
6. Click Import. The Certificate successfully imported window opens. 


7. Click OK. 


Task 24—import the Cisco VPN Client Identity Certificate into the 
Certificate Store 


Step 1 


Step 2 


Complete the following steps to load the client identity certificate into the certificate store: 


Select the Certificates tab. 


Click Import and complete the following sub-steps within the VPN Client>Import Certificate 
window. 


1. Select the Import from File button. 


2. Click Browse. The Open window opens. 
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3. Look in the Certs folder. 


4. Select client ID cert X. 
(where X = your first and last initials) 


5. Click Open. The Import Certificate>Source window opens. 
6. Click Import. The Certificate successfully imported window opens. 


7. Click OK. 


Task 25—Configure the Cisco VPN Client for Digital Certificates 


Step 1 


Step 2 
Step 3 


Step 4 
Step 5 


In the last tasks, root and identity certificates were created for the client. In this task, enable the 
Cisco VPN Client to use digital certificates for IKE authentication. Complete the following steps 
to edit the authentication parameters of the studentP Cisco VPN Client. 


Note This procedure assumes Windows 2000 is already running on the student PC. 


If the Cisco VPN client is not open, choose Start>Programs>Cisco Systems VPN Client>VPN 
Client. The Cisco Systems VPN Client window opens. 


The studentP entry from the previous lab must be edited before establishing a new connection. 


Click the Connection Entries tab. 


Highlight studentP and select Modify. The Properties for StudentP window opens. 
(where P = pod number) 


Select the Authentication tab. 
Select Certificate Authentication and complete the following sub-steps: 


1. Select studentPX (Cisco) from the Name drop-down menu. 
(where P = pod number, and X = your first and last initials) 


2. Click Save. 


Task 26—Launch the Cisco VPN Client 


Step 1 


Step 2 
Step 3 


Step 4 


Step 5 


Step 6 


Complete the following steps to launch the Cisco VPN Client: 


If the Cisco VPN client is not open, choose Start>Programs>Cisco Systems VPN Client>VPN 
Client. 


Click Connect. The VPN Certificate Authentication window opens. Do not enter a password. 
Click OK. The User Authentication window opens. 


Enter a username: studentP. 
(where P = pod number) 


Enter a password: studentP. 
(where P = pod number) 


Click OK. The Cisco VPN Client icon appears in the student PC system tray. 
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Step 7 Launch Internet Explorer by double-clicking the desktop icon. 


Step 8 Enter the Concentrator private interface IP address in the Internet Explorer Address field: 
10.0.P.5 (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 
Concentrator Series Manager. 


Step 9 Log in to the Cisco VPN Concentrator Series Manager using the administrator account: 


Login: admin 


Password: admin 
Step 10 From the Monitoring menu tree, drill down to Sessions. 


Step 11. From the Remote Access Sessions section, select studentP. The Monitoring> Sessions>Detail 
window appears. 
(where P = pod number) 


Step 12 Answer the following question by referring to the IKE Session section of the window: 
Q11) What authentication mode was used for this tunnel? 


A) 


Step 13 Log out of the Concentrator. 


Step 14 Double-click the Cisco VPN Client icon in the student PC’s system tray and disconnect any 
existing Client-to-LAN sessions. 


Step 15 Close Internet Explorer. 


Task 27—Configure the Certificate Manager for Network-Based 
Certificates 


In the previous topic, you used file-based certificate (manual) enrollment and installation of 
certificates. In this topic you will use the Cisco VPN Client Certificate Manager to create a 
network-based certificate, which is an automated process for enrolling, creating, installing, 
viewing and verifying certificates. Use this task to enroll and manage certificates via the 
network-based method. Complete the following steps to configure the Certificate Manager for 
network-based certificates: 


Step 1 Ifthe Cisco VPN client is not open, choose Start>Programs>Cisco Systems VPN Client>VPN 
Client. 


Step 2 Select the Certificates tab. 

Step 3 Click Enroll. The Certificate Enrollment window opens. 
Step 4 Select Online. 

Step 5 Complete the following sub-steps: 


1. Select a Certificate Authority: <New>. 
2. Enter the following URL: http://172.26.26.51/certsrv/mscep/mscep.dll 
3. Enter a Domain: cisco.com. 


4. Leave the Challenge Password blank. 
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Step 6 
Step 7 


Step 8 
Step 9 


Step 10 


Step 11 


Click Next. The Certificate Enrollment window opens. 
Complete the following sub-steps from within the Enrollment>Form window: 
1. Entera Common Name: scepPX. 


(where P = pod number, and X = your first and last initials) 


2. Enter a Department: training. Use lower-case text, text must exactly match the 
configuration of the Concentrator. 


3. Enter a Company: ABCD. (Be careful of the spelling, you will enter this name later in the 
DN matching topic of the lab exercise.)Leave the remaining fields blank. 


4. Click Enroll. The Certificate enrollment completed successfully dialog box opens. 


View the enrollment status message and click OK. 


Select the new scepPX certificate. 
(where P = pod number, and X = your first and last initials) 


Click Verify. A Certificate is valid message should appear. 
Click OK. 


Task 28—Create a New Cisco VPN Client Connection Record 


Step 1 


Step 2 
Step 3 
Step 4 


Step 5 


Step 6 
Step 7 


Step 8 


In the previous task you exported client certificates and loaded them on the Concentrator. Your 
current Cisco VPN Client connection reflects the certificate obtained via file enrollment method. 
You need to make a new connection entry based on the Simple Certificate Enrollment Protocol 
(SCEP) generated certificate. It is best if you make a new connection profile. Complete the 
following steps to create a new Cisco VPN Client connection record: 


If the Cisco VPN client is not open, choose Start>Programs>Cisco Systems VPN Client>VPN 
Client. The Cisco Systems VPN Client window opens. 


Select the Connection Entries tab. 
Click New. The Create New VPN Connection Entry wizard opens. 


Enter the name for the new connection entry in the Connection Entry field: scepP. 
(where P = pod number) 


Enter a Concentrator public interface IP address in the Host field: 192.168.P.5. 
(where P = pod number) 


Select Certificate Authentication. 


Select the scepPX certificate from the Name drop-down menu. 
(where P = pod number, and X = your first and last initials) 


Click Save. 


Task 29—Launch the Cisco VPN Client 


Step 1 


Verify the certificates and the Cisco VPN Client configuration by establishing a VPN tunnel to 
the Concentrator. Complete the following steps to launch the Cisco VPN Client: 


If the Cisco VPN Client is not open, choose Start>Programs>Cisco Systems VPN 
Client>VPN Client. 
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Step 2 


Step 3 
Step 4 
Step 5 


Step 6 


Step 7 
Step 8 
Step 9 


Step 10 


Step 11 


Step 12 


Step 13 


Step 14 


Step 15 


Ensure that the connection entry is scepP. 
(where P = pod number) 


Click Connect. The VPN Certificate Authentication window opens. Do not enter a password. 
Click OK. The User Authentication window opens. 


Enter a username: studentP. 
(where P = pod number) 


Enter a password: studentP. 
(where P = pod number) 


Click OK. The Cisco VPN Client icon should appear in the system tray. 
Launch Internet Explorer using the desktop icon. 


Enter a Concentrator private interface IP address in the Internet Explorer Address field: 10.0.P.5 
(where P = pod number). Internet Explorer connects to the Cisco VPN 3000 Concentrator Series 
Manager. 


Log in to the Cisco VPN 3000 Concentrator Series Manager: 
Login: admin 

Password: admin 

From the Monitoring menu tree, drill down to Sessions. 


From the Remote Access Sessions section, select studentP. The Monitoring>Sessions>Detail 
window appears. 
(where P = pod number) 


From the IKE Session section of the window, answer the following question: 


Q12) What authentication mode was used for this tunnel? 


A) 


Logout of the Concentrator. Do not close Internet Explorer. 


Disconnect the Client-to-LAN connection using the Cisco VPN Client icon. 


Task 30—Configure DN Matching Rules 


Step 1 


Step 2 


Earlier you configured both file and SCEP-based client certificates. You entered the same 
department name for each certificate, training, but used a different organizational name for each, 
Cisco and ABCD. In this topic of the lab, you will configure group matching rules to accept 
certificates from training and Cisco. DN matching will reject non-matching certificates, training 
and ABCD. Complete the following steps to configure DN matching using the Cisco VPN 3000 
Concentrator Series Manager. 


Enter a Concentrator public interface IP address in the Internet Explorer Address field: 
192.168.P.5 (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 
Concentrator Series Manager. 


Log in to the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 
Login: admin 


Password: admin 
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Step 3 
Step 4 


Step 5 


Step 6 


Step 7 
Step 8 
Step 9 
Step 10 
Step 11 


Step 12 


The username (login) and password are always case sensitive. 


From the Configuration menu tree, drill down to Policy Management>Group Matching>Rules. 


Click Add under the Actions column. 


From the Configuration menu tree, drill down to Policy Management>Certificate Group 
Matching>Rules>Add window, complete the following sub-steps: 


Ls 


pk 


3 


Select training from the Group drop-down menu. 

Choose Organizational Unit (OU) from the Distinguished Name drop-down menu. 
Verify Operator field is Equals (=). 

Enter training in the Value field. 

Click Append. 

Choose Organization (O) from the Distinguished Name drop-down menu. 


Enter Cisco in the Value field. (Value is not case sensitive.) To be accepted by the 
Concentrator, a client certificate’s OU field must equal training and the O field must equal 
Cisco. 


Click Append. 


Click Add. The Configuration>Policy Management>Traffic Management>Certificate Group 
Matching>Rules window opens. 


From the Configuration menu tree, drill down to Policy Management>Group 
Matching>Policy. 


Select Match Group from Rules. 


De-select Obtain Group from OU. 
Click Apply. 


Save the changes. 


From the Monitoring menu tree, drill down to Filterable Event Log. 


Clear the filterable log and leave Internet Explorer open. 


Task 31—Launch the Cisco VPN Client 


In this task, you will attempt to establish a tunnel using a non-rule matching certificate. The 


Step 1 


Step 2 


Step 3 
Step 4 
Step 5 


connection will fail. Complete the following steps to launch the Cisco VPN Client: 


If the Cisco VPN Client is not open, choose Start>Programs>Cisco Systems VPN 
Client>VPN Client. 


Ensure that the connection entry is scepP. 
(where P = pod number) 


Click Connect. The VPN Certificate Authentication window opens. Do not enter a password. 


Click OK. 


A remote peer is no longer responding message appears. Click OK. 
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Step 6 
Step 7 


Step 8 
Step 9 


Step 10 
Step 11 
Step 12 


Return to Internet Explorer. 


If the Filterable Event Log window is not open, go to the Monitoring menu tree and drill down to 
Filterable Event Log. 


If no events appear, retrieve the log. 


From the filterable event log, find the message group match for cert peer 172.26.26.P failed using 
rule ou=training, o=cisco. 
(where P = pod number) 


Find the filterable event log message, cert group from OU feature is disabled. 
Clear the filterable event log. 


Logout of the Concentrator and close Internet Explorer. 


Task 32—Launch the Cisco VPN Client 


Step 1 


Step 2 


Step 3 
Step 4 
Step 5 


Step 6 


Step 7 
Step 8 


Step 9 


Step 10 
Step 11 


Step 12 
Step 13 


Step 14 


In this task, you will attempt to establish a tunnel using a rule-matching certificate. Complete the 
following steps to launch the Cisco VPN Client: 


If the Cisco VPN Client is not open, choose Start>Programs>Cisco Systems VPN 
Client>VPN Client. 


Ensure that the connection entry is studentPX. 
(where P = pod number) 


Click Connect. The VPN Certificate Authentication window opens. Do not enter a password. 
Click OK. The User Authentication window opens. 


Enter a username: studentP. 
(where P = pod number) 


Enter a password: studentP. 
(where P = pod number) 


Click OK. The Cisco VPN Client icon should appear. 


If Internet Explorer is not open, launch Internet Explorer using the desktop icon. Enter a 
Concentrator private interface IP address in the Internet Explorer Address field: 10.0.P.5 (where 
P = pod number). Internet Explorer connects to the Cisco VPN 3000 Concentrator Series 
Manager. 


Log in to the Cisco VPN 3000 Concentrator Series Manager: 

Login: admin 

Password: admin 

From the Monitoring menu tree, drill down to Filterable Event Log. 


If no events appear, retrieve the filterable log. From the filterable event log, find the message 
group match for cert peer 172.26.26.P succeeded using rule ou=training, o=cisco. 
(where P = pod number) 


Find the filterable event log message: validation of certificate successful. 


From the Configuration menu tree, drill down to Policy Management>Group 
Matching>Policy. 


De-select Match Group from Rules. 
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Step 15 
Step 16 
Step 17 


Step 18 


Select Obtain Group from OU. 
Click Apply. 
Save the changes. 


Do not logout. Do not close Internet Explorer. 


Task 33—Return the Cisco VPN Client and Concentrator to Pre-shared 


Keys 


Step 1 
Step 2 


Step 3 
Step 4 


Step 5 
Step 6 
Step 7 
Step 8 


Step 9 
Step 10 


Step 11 
Step 12 


Step 13 
Step 14 


In the previous tasks, the Concentrators used digital certificates. In the next few lab exercises, 
you will use pre-shared keys. For a VPN session using pre-shared keys to authenticate, the 
Concentrator and Cisco VPN Client must be re-configured. Complete the following steps to 
modify the Cisco VPN Client and Concentrator settings: 


From the Configuration menu tree, drill down to User Management>Groups. The 
Configuration>User Management>Groups window opens. 


Choose training from the Current Groups list and click Modify Group. The Configuration>User 
Management>Groups>Modify training window opens. 


Select the IPSec tab. 


From the IPSec Security Association (SA) drop-down menu, choose the ESP-3DES-MD5 
proposal. 


Click Apply then save the changes. 
Log out of the Concentrator and close Internet Explorer. 
Disconnect the Client-to-LAN connection using the Cisco VPN Client icon. 


If the Cisco VPN Client is not open, choose Start>Programs>Cisco Systems VPN 
Client>VPN Client. The Cisco Systems VPN Client window opens. 


Choose studentP from Connection Entry drop-down menu. 
(where P = pod number) 


Click Modify. The Properties for studentP window opens. 
(where P = pod number) 


Select the Authentication tab. 


Select Group Authentication radio button and complete the following sub-steps: 


Verify the following entries: 
1. Group name: training. 
2. Group password: training. 


3. Password: training. 


Click Save. 
Close the VPN Client window. 
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Configure the Cisco Virtual 
Private Network Firewall 
Feature for the IPSec Software 
Client 


Overview 


This lesson includes the following topics: 

m Objectives 

m Overview of the Software Client’s firewall feature 
m The Software Client’s AYT feature 

m The Software Client’s Stateful Firewall feature 

m The Software Client’s CPP feature 

= Software Client firewall statistics 

= Customizing firewall policy 


m= Summary 


m= Lab exercise 
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Objectives 


This topic lists the lesson’s objectives. 


Objectives 
MMMM ~~S~S*S*«CScO.com 


Upon completion of this lesson, you will be 
able to perform the following tasks: 


° Configure the AYT feature. 


¢ Configure the Stateful Firewall feature. 
* Configure the CPP feature. 


¢ Monitor the firewall feature on the Cisco VPN 
Client. 
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Overview of the Software Client’s Firewall Feature 


This topic presents an overview of the Cisco Virtual Private Network (VPN) Software Client’s 
firewall feature. 


Software Client Firewall Application 


Cisco.com 


www.cisco.com 


Internet {~ 


: ‘traffic i I 

Split Local LAN 
tunneling X ! i 
i i 
Encrypted 1 


tunnel traffic i nea 
° Split tunneling 
° Encrypted tunnel traffic 
* Local LAN traffic 
° Internet traffic 


The Software Client is designed for split tunneling, Internet traffic, and applications. In split 
tunneling, there are three types of traffic: 


m Encrypted tunnel—AII traffic bound for the corporate office is encrypted and sent down a 
tunnel, which is relatively safe. 


= Local LAN—Local LAN traffic is typically between a remote user’s PC and a printer under 
their desk, which is also relatively safe. 


m= Internet traffic—tInternet traffic is between the remote user and sites on the Internet. By 
enabling split tunneling, the ability to raise a tunnel and talk to the Internet in clear text 
raises security issues. The Software Client firewall feature is designed to address the Internet 
traffic security issue. 
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Windows-Based Software Client— 


Firewall Features 
Ml Cisco.com 


* Are you there (AYT) 


° Stateful Firewall 
* Central Policy Protection (CPP) 
* Cisco Integrated Client (CIC) firewall 


The Cisco VPN 3000 Series Concentrator contains four firewall features designed to enhance 
system security for Microsoft Windows-based PCs running the VPN Software Client: 


m Are You There (AYT) feature—This feature verifies that a specific firewall product is 
operational on a client PC before any tunnels are allowed. 


m Stateful Firewall feature—Pre-defined stateful firewall that is turned on or off at the remote 
Software Client. If enabled, it is active for both tunneled and non-tunneled traffic. 


= Central Policy Protection (CPP) feature—CPP provides network administrators with the 
ability to centrally define firewall policies for connected VPN Clients. This policy is pushed 
down to the Software Client at connection time. 


™ Cisco Integrated Client (CIC) Firewall feature—As of the Cisco VPN 3000 Series 
Concentrator release 3.5, the Microsoft Windows-based Software Client now contains a CIC 
Firewall module. The CIC Firewall feature supports the Stateful Firewall feature and the 
CPP feature. 
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The Software Client’s AYT Feature 


This topic presents an overview of the Software Client’s Are You There (AYT) feature. 


AYT Feature 


Cisco.com 


Microsoft Windows PC 


Cisco VPN Client 
software 


xm 
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Often network administrators require remote access PCs to run a firewall application before 
allowing VPN tunnels to be built. The network administrator can configure the Concentrator to 
require all Software Clients in a group to have a specific firewall operating on the PC. 


The Software Client monitors the firewall to ensure that it is running. If the firewall stops 
running, the Software Client drops the connection to the Concentrator. This firewall policy is 
also called AYT because the Software Client polls the firewall periodically to determine if it is 
still there. If there is no reply from the firewall, the Software Client knows that the firewall is 
down and terminates its connection to the Concentrator. 
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Step 1 
Step 2 
Step 3 
Step 4 
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Configuring the AYT Feature 
ees Cisco.com 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter a new value to override 


base group values 


Fidentity 7 


VEN Client Firewall Policy 


© No Firewall 
© Firewall Required 
@ Firewall Optional 


Inherit?) 


Select whether or not to require that the client firewall 
specified below be installed and active. Refer to the client 
documentation for details about using this feature 


Custom Firewall 


‘Select the firewall vendor and product required for clients 
in this group. For client firewalls not listed, select 

Custom Firewall and enter the vendor and product IDs. 
[Separate multiple product IDs with commas. To indicate all 
products by a particular vendor, enter product ID 255. The 
product description is optional. 


(© [Policy defined by remote firewall (AYT) 
© Policy Pushed (CPP): 

[Firewall Filter for VPN Client (Default) +] 
© Policy from Server 


Select the policy for the protection provided by the client 
firewall 


Cancel 
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Go to the Configuration>User Management>Groups>Modify window and select the Client FW 
tab. AYT, CIC, and CPP features are configurable from this window. Over the next topics, you 


will configure each feature individually. 


AYT is the first feature you will configure. Complete the following steps to configure the AYT 


feature: 


Select a firewall setting from the Firewall Setting row. 


Identify a firewall from the Firewall row. 


Configure a custom firewall from the Custom Firewall row. 


Select the Firewall policy from the Firewall Policy row. 


The following figures further discuss the four steps used to configure the AYT feature. 
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Step 1—Select a Firewall Setting 


aT | Cisco.com 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter a new value to override 
base group values 


VEN Client Firewall Policy 
Inherit?) 


Select whether or not to require that the client firewall 
specified below be installed and active. Refer to the client 


© Firewall Optional documentation for details about using this feature 


Custom Firewall [Select the firewall vendor and product required for clients 
in this group. For client firewalls not listed, select 

Custom Firewall and enter the vendor and product IDs 
ISeparate multiple product IDs with commas, To indicate all 
products by a particular vendor, enter product ID 255. The 
product description is optional. 


©@ Policy defined by remote firewall (AYT) 


© Policy Pushed (CPP): Select the policy for the protection provided by the client 
[Firewall Filter for VPN Client (Default) >] srewall 


© Policy from Server 


Cancel 
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When configuring the AYT feature, you must first select a firewall setting. By default, no 
firewall is required for remote users in this group, so the No Firewall radio button is already 
selected. If you, as the administrator, want users in this group to be firewall-protected, select 
either Firewall Required or Firewall Optional: 


m No Firewall setting—This is the default. If you leave this radio button selected, then no 
firewall is required for remote users in this group. 


m Firewall Required setting—If you select this radio button, then all remote users in this group 
must use a firewall. Only those users with the designated firewall can connect to the 
Concentrator. The Concentrator drops any session that attempts to connect without the 
designated firewall installed and running. If you require a firewall for a group, make sure 
that the group does not include any Software Clients without the designated firewall or that 
the group does not include any non-Windows Software Clients, because they will be unable 
to connect. 


m Firewall Optional setting—If you select this radio button, then all remote users in this group 
can connect to the Concentrator. Those who have the designated firewall must use it. Those 
without the required firewall can still connect but will receive a notification message. This 
setting is useful if you have a group that is in gradual transition, in which some members 
have set up firewall capacity and others have not. 
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Step 2—lIdentify a Firewall 


eee | Cisco.com 


‘Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter anew 


value to override base group values. 


Policy 


TP 


Description 


© No Firewall 
Firewall Setting) © Firewall Required 
© Firewall Optional 


Custom Firewall 


Cisco Integrated Client Firewall 

Network ICE BlackICE Defender 

Zone Labs ZoneAlarm 

Zone Labs ZoneAlarm Pro 

Zone Labs ZoneAlarm or ZoneAlarm Pro 
Zone Labs Integrity 

Sygate Personal Firewall 

Sygate Personal Firewall Pro 

Sygate Security Agent 


- .__ {Cisco Intrusion Prevention Security Agent 
Firewall Policy |eyemen rete] 


Custom! 


Firewall 


‘Description| 


© Policy from Server 


Select whether or not to require that the client 
firewall specified below be installed and active. 
Refer to the client documentation for details 
about using this feature. 

Select the firewall vendor and product required 
for chents in this group. For client firewalls not 
listed, select Custom Firewall and enter the 
vendor and product IDs. Separate multiple 
product IDs with commas. To indicate all 
products by a particular vendor, enter product 
ID 255. The product description is optional. 


Select the policy for the protection provided by 
the client firewall. 


Cancel 
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After establishing the firewall setting, the second step is to identify a firewall. To do this, choose 


a firewall from the firewall drop-down menu: 


m Cisco Integrated Client Firewall—The firewall built into the Software Client 


m Network ICE BlackICE Defender—The Network ICE BlackICE Agent or Defender Firewall 


= Zone Labs ZoneAlarm—tThe Zone Labs ZoneAlarm firewall 


= Zone Labs ZoneAlarm Pro—The Zone Labs ZoneAlarm Pro firewall 


= Zone Labs ZoneAlarm or ZoneAlarm Pro—Either the Zone Labs ZoneAlarm firewall or the 


Zone Labs ZoneAlarm Pro firewall 


m= Zone Labs Integrity—The Zone Labs Integrity Client 


m Sygate Personal Firewall—The Sygate Personal Firewall 


m Sygate Personal Firewall Pro—The Sygate Personal Firewall Pro 


m Sygate Security Agent—The Sygate Security Agent personal firewall 


= Cisco Intrusion Prevention Security Agent—Cisco Systems security agent 


= Custom Firewall—For future use (there is further discussion of this option later in this 


lesson) 
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Step 3—Configure a Custom Firewall 
a eee Cisco.com 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter anew value to override 
base group values 


Client FW 
VPN Client Firewall Policy 
Attribute Value Inherit? Description 


© No Firewall Select whether or not to require that the client firewall 
Firewall Setting) © Firewall Required specified below be installed and active. Refer to the client 
© Firewall Optional documentation for details about using this feature. 


Firewall)) Custom Firewall 
Vendor ID||2 


Select the firewall vendor and product required for clients 
in this group. For client firewalls not listed, select 
Custom Firewall and enter the vendor and product IDs. 


Custom PractDle Separate multiple product IDs with commas. To indicate all 
Firewall! products by a particular vendor, enter product ID 255. The 


Description product description is optional 


© Policy defined by remote firewall (AYT) 


C Policy Pushed (CPP): Select the policy for the protection provided by the client 
[Firewall Fiter for VPN Client (Default) =] ficewatl 


© Policy from Server 


Cancel 


Firewall Policy 
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An optional step when configuring the AYT feature is to configure a custom firewall. Currently, 
every supported firewall is selectable from the Firewall drop-down menu. In the future this may 
not be true. For example, an additional firewall is supported in a future Concentrator software 
release, firewall brand XYZ for instance. The customer would like to support the new XYZ 
firewall, but they are not ready to migrate the to the new Concentrator software release. The new 
firewall can be supported on the older version of Concentrator software by configuring the 
custom firewall field. To support the new XYZ firewall, the administrator must configure the 
new vendor code and product code in the Vendor ID and Product ID fields. An optional 
description of the new firewall can also be added in the Description field. 


Each vendor has a unique vendor identity and firewall product identity. 


The following table lists the currently supported firewall vendors and their firewall products: 


Vendor Vendor Code Products Product Code 
Cisco Systems 1 CIC 1 
5 Cisco Intrusion 1 

Prevention Security 
Agent 

Zone Labs 2 ZoneAlarm 1 
ZoneAlarm Pro 2 
Zone Labs Integrity 3 

Network Ice 3 Blackice 1 
Defender/Agent 

Sygate 4 Personal Firewall 1 


Personal Firewall Pro 2 


Security Agent 3 
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In the example in the figure, the administrator defines a custom firewall with a vendor 
identification of 2, Zone Labs, and a product identity of 2, ZoneAlarm Pro. Future vendor and 
product identifications will be available in the Cisco VPN 3000 product release notices. 
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Step 4—Select the Firewall Policy 
MMMM ~)~SSS*«SCOWCOmM 


Configuration | User Management | Groups | Modify training 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter a new value to override 
base group values 


Identity | General | IPSec | Client Config | Client FW | HW Client | PPTP/L2TP 
VPN Client Firewall Policy 
Attribute Value Inherit? | Description 


© No Firewall Select whether or not to require that the client firewall 
Firewall Setting] © Firewall Required specified below be installed and active. Refer to the client 
© Firewall Optional documentation for details about using this feature 


[Zone Labs ZoneAlarm Select the firewall vendor and product required for clients 
———— in this group. For client firewalls not listed, select, 
(Custom Firewall and enter the vendor and product IDs 
Separate multiple product IDs with commas. To indicate all 
products by a particular vendor, enter product ID 255. The 
[ptochuct description is optioned 


@ Policy defined by remote firewall (AYT) 


© Policy Pushed (CPP) Select the policy for the protection provided by the client 


Firewall Policy| 
Firewall Filter for VPN Client (Default) + firewall, 


© Policy from Server 


Apply Cancel 
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The last step when configuring the AYT feature is to select the firewall policy. There are three 
policies available. For the AYT feature, select the Policy defined by remote firewall (AYT) 
radio button. The AYT policy choice is sent to the Software Client in ModeCFG messages at 
connection time. 
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Step 1 


Step 2 


Step 3 


Step 4 


How the AYT Feature Works 


Cisco.com 


The Zone Labs 
ZoneAlarm 
@ firewall is 
operational. 


Fi Ir Cisco VPN 
wewel ~ Client 


The tunnel is 
established. 


The administrator configures the Concentrator to require a particular firewall to be present on the 
remote Software Client’s PC. At the Software Client connection time, the following steps occur: 


The Software Client polls the firewall. 


The Software Client reports the presence of a specific firewall to the Concentrator via ModeCFG 
messages. 


The Concentrator checks the reported firewall information against the VPN Client’s group 
firewall settings. 


Depending on how the firewall parameters are set, the Concentrator’s actions are as follows: 


= No Firewall setting—No firewall is required, so the tunnel establishment is continued. 


m= Firewall Required setting—If the designated firewall is installed and running, the connection 
is allowed. When the connection is established, the Software Client polls the firewall every 
thirty seconds to ensure that it is still running. If the firewall stops running, the Software 
Client terminates the session. 


m Firewall Optional setting—Those VPN Clients that have the designated firewall may 
connect if the firewall is running. Those VPN Clients without the designated firewall may 
still connect but will receive a notification message. Notification messages are discussed 
later in the lesson. 


Copyright © 2005, Cisco Systems, Inc. Configure the Cisco VPN Firewall Feature for the IPSec Software Client 7-13 


Firewall Optional—Warning 


sc Cisco.com 


© No Firewall # ¥PN Client | Notifications F xi 


Firewall Setting] © Firewall Required 
@ Firewall Options! <——— 


Network ICE BlackICE Defender 


Notifications: 


LU tin 6 20008 SEAS CORSE TRO ace ts eect 
( 2-dun 6, 2003 713'56:43) Client Error Notification 


Message: 


The client did not match the firewall policy configured on the central site VPN device. NetworkICE 
BlackICE Defender should be enabled or installed on your computer. 
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When the Firewall Optional radio button is selected, Software Clients that are not running with a 
designated firewall are allowed to connect but will receive a Software Client notification 
message. The message informs the Software Client that the Software Client did not match any of 
the Concentrator’s firewall configurations. The message also defines the expected firewall. 


The particular notification text shown in the figure warns the remote user that the Software 
Client does not match the Concentrator’s configuration. The Concentrator expects the Network 
ICE, BlackICE Defender firewall application to be running on the PC. If the remote user is not 


running BlackICE Defender and they receive a notification message, the tunnel is still 
established. 
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The Software Client’s Stateful Firewall Feature 


This topic presents an overview of the Software Client’s Stateful Firewall feature. 


Stateful Firewall Feature 


Cisco.com 


Microsoft Windows PC 


Tunneled 
traffic 


Nontunneled 
traffic 
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The Software Client 3.5 and higher releases contain an integrated stateful firewall module 
licensed from Zone Labs called the CIC firewall. Components of this feature include a dynamic 
link library (DLL) combined with a Zone Labs stateful firewall module driver. The DLL acts as 
an interface between the traditional Software Client and the firewall driver. 


A default stateful firewall policy is loaded on CIC firewall. The stateful, CIC, firewall blocks all 
inbound traffic that is not related to an outbound session. The two exceptions to this rule are 
Dynamic Host Configuration Protocol (DHCP) and Acknowledge Response Protocol (ARP) 
traffic, where inbound packets are allowed through specific holes in the stateful firewall. When 
the user enables the stateful firewall, it is always on. The firewall is active for both tunneled and 
non-tunneled traffic. 


The administrator can accept the default policy or they can customize the firewall policy. To 
alter the firewall policies, the administrator can use the CPP feature. CPP enables the 
Concentrator’s administrator to centrally define a set of rules for the CIC firewall. This policy is 
pushed to the CIC firewall module. There is further discussion of CPP later in the lesson. 
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Enabling the Stateful Firewall Feature 
MMMM + + + + ++ Cisco.com 
[+ vPwclient version 40.1 (Rel) lox) 


Connection Entries Status Certificates Log | Options Help 
a, = t Application Launcher... Cisco Systems 
A 5 2 mea = Windows Logon Properties... 

Connection Entries | Certificates | Log | 


|__| Connection Enty eas CaM Treenspot 


Preferences... IPSec/UDP 
student 192.168.1.5 IPSec/UDP 


Stateful Firewall (Always On) 


YPN Client... 


Stateful Firewall (Always On) 
About YPN Client... 
Exit ¥PN Client 
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The remote client controls the stateful firewall feature. By default, the Stateful Firewall feature is 
disabled, or unchecked, on the Software Client. There are two ways to enable the Stateful 
Firewall feature. From the main Software Client window, remote users can click the Options 
button and choose Stateful Firewall. They can also access the Stateful Firewall option by right- 
clicking the lock icon from the system tray. When enabled, the Stateful Firewall feature filters 
both tunneled and non-tunneled traffic. 
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The Software Client’s CPP Feature 


This topic presents an overview of the Software Client’s Central Policy Protection (CPP) feature. 


How CPP Works 


Cisco.com 


The policy 
is forwarded. 
The administrator a fT 
defines the policy. 


— 


yy. oO” VPN 
{ ee Ghent 


The policy is pushed. 
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Some administrators prefer to enforce a more centralized firewall policy approach. They do this 
by first defining a policy—a set of rules to allow or drop traffic—on the Concentrator. When the 
connection is made, these policies are pushed from the Concentrator to the Software Client using 
ModeCFG messages. The Software Client, in turn, forwards the policy to the local firewall, 


which enforces it. 
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CPP Supported Firewalls 
ey Cisco.com 


Firewall 


Cisco Integrated Client 
Zone Labs ZoneAlarm 
Zone Labs ZoneAlarm Pro 
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The Software Client can forward policy to the following firewalls: 
= ClC—Concentrator and Software Client release 3.5 and higher. 


= ZoneLabs—Minimum version of 2.6.357. 
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Configure CPP 


ey | Cisco.com 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter a new value to override 
base group values. 


‘VPN Client Firewall Policy 
Inherit? 


Description 


© No Firewall 
Firewall Setting} @ Firewall Required 
© Firewall Optional 


Select whether or not to require that the client firewall 
specified below be installed and active. Refer to the client 
documentation for details about using this feature 


Custom es | 


Description! 


Zone Labs ZoneAlarm Pro x 


Select the firewall vendor and product required for clients 
in this group. For client firewalls not listed, select 

Custom Firewall and enter the vendor and product IDs 
Separate multiple product IDs with commas. To indicate all 
products by a particular vendor, enter product ID 255. The 
product description is optional 


© Policy defined by remote firewall (AYT) 


@ Policy Pushed (CPF): Select the policy for the protection provided by the client 
[Firewall Filter for VPN Client (Default) >] firewall 


c 
Apply Cancel 


licy from Se 
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Configuring CPP is a two-step process: 


Step 1 The administrator selects a firewall—From the Firewall drop-down menu, choose a CPP- 
supported firewall: either CIC or a Zone Labs firewall. 
Step 2 The administrator selects a policy—From the Firewall Policy row, select Policy Pushed (CPP). 
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From the Policy Pushed (CPP) drop-down menu, choose a filter to push to the firewall. The 
default policy is Firewall Filter for VPN Client (Default). 


In the example in the figure, the administrator has selected the ZoneAlarm Pro as the required 
firewall, with the default CPP policy of Firewall Filter for VPN Client (Default). The default 
policy forwards all inbound and outbound encrypted tunnel traffic. It blocks all Internet inbound 


traffic that is not related to an outbound session. There is a discussion of firewall policy later in 
this lesson. 
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Software Client Firewall Statistics 


This topic discusses the Software Client firewall statistics. 


Software Client Statistics— 
Firewall Tab 


Cisco.com 


» 


192.168.1.5  —— 


YPN Client | Statistics ; xi 


Firewall Policy: Centralized Protection Policy (CPP) 
Product: Cisco Systeme Integrated Cient 


Dst Port 
500 
500 


SicAddess [Det Address [Proto _| Src Port 


The Firewall tab displays information about the VPN Client's firewall configuration, including 
the firewall policy and the configured firewall product. The remaining contents of the Firewall 
tab depend on these two configured options. The information shown on this tab varies according 
to your firewall policy as follows: 


m= AYT—When the AYT is the supported capability, the Firewall tab shows only the firewall 
policy and the name of the firewall product. AYT enforces the use of a specific personal 
firewall but does not require you to have a specific firewall policy. 


™ Centralized Protection Policy (CPP)—When CPP is the supported capability, the Firewall 
tab includes the firewall policy, the firewall in use, and firewall rules. 


m™ = Client/Server—When the Client/Server is the supported capability, the Firewall tab displays 


the firewall policy as Client/Server, the name of the product as ZoneLabs Integrity Agent, 
the user ID, session ID, and the addresses and port numbers of the firewall servers. 
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Software Client Firewall Rules 
Dy Cisco.com 


# YPN Client | Statistics E Xx} 


Tunnel Details | Route Details | | 


Firewall Policy: Centralized Protection Policy (CPP) 


Product: Cisco Systems Integrated Client 


Firewall Rules: 


Forward Inbound =192.168.1.5, 

Forward Outbound 172.26.26.1 

Forward Inbound §=192.168.1.5, 

Forward Outbound 172.26.26.1/32 192.168.1 0 

Forward Inbound Any 10.0.1.31/32 Any 

Forward Outbound 10.0.1.31/32 Any Any 

Forward Outbound Local Any Any 
Inbound Any Local Any 
Outbound Local Any Any 


The Firewall Rules section shows all of the firewall rules currently in effect on the VPN Client. 
Rules are in order of importance from highest to lowest level. The rules at the top of the table 
allow inbound and outbound traffic between the VPN Client and the secure gateway and 
between the VPN Client and the private networks with which it communicates. For example, 
there are two rules in effect for each private network that the VPN Client connects to through a 
tunnel (one rule that allows traffic outbound and another that allows traffic inbound). These rules 
are part of the VPN Client software. Since they are at the top of the table, the VPN Client 
enforces them before examining CPP rules. This approach lets the traffic flow to and from 
private networks. 


CPP rules (defined on the VPN Concentrator) are only for nontunneled traffic and appear next in 
the table. A default rule "Firewall Filter for VPN Client (Default)" on the VPN Concentrator lets 
the VPN Client send any data out, but permits return traffic in response only to outbound traffic. 


Finally, there are two rules listed at the bottom of the table. These rules, defined on the VPN 
Concentrator, specify the filter's default action, either drop or forward. If not changed, the 
default action is drop. These rules are used only if the traffic does not match any of the preceding 
rules in the table. Each firewall rule includes the following fields: 
m Action—The action taken if the data traffic matches the rule: 

— Drop—Discard the session. 


— Forward—Allow the session to go through. 


m Direction—The direction of traffic to be affected by the firewall: 
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— Inbound—Traffic coming into the PC, also called local machine, from the public 
network while the Software Client is connected to a secure gateway through the secure 
tunnel. 


— Outbound—tTraffic going out from the PC to all networks while the Software Client is 
connected to a secure gateway. 


Source Address—The address of the traffic that this rule affects: 


— Any—All traffic (for example, drop any inbound traffic). This field can also contain a 
specific IP address and subnet mask. 


— Local—tThe local machine. If the direction is outbound, then the source address is local. 


Destination Address—The packet’s destination address that this rule checks (the address of 
the recipient): 


— Any—All traffic (for example, forward any outbound traffic). 
— Local—tThe local machine. If the direction is inbound, the destination address is local. 


Protocol—The Internet Assigned Number Authority (IANA) number of the protocol that this 
rule concerns (6 for TCP; 17 for UDP, and so on): 


— Source Port—Source port used by TCP or UDP. 


— Destination Port—Destination port used by TCP or UDP. 
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Customizing Firewall Policy 


This topic explains how to create a custom firewall policy. 


Building Customized Policies 
a Cisco.com 


Configure and add a new filter. 


Filter Name |Custom FW Filter 
Default Action [Drop a 
“) Source Routing [~ 
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CSVPN 4.0—7-26 


Most of the time the default policy works fine. However, if the administrator needs to restrict the 
outbound clear text traffic to a few protocols or a handful of remote locations, the administrator 
should create a new policy. Building custom CPP policies is a four-step process. On the 
Concentrator complete the following steps: 

Step1 Define rules to restrict traffic. 

Step 2 Add anew policy. 

Step 3 Associate the new rules with the newly created policy. 


Step 4 Assign the new policy to the CPP. 


There is further discussion of each of these steps later in the lesson. 
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Step 1—Define Rules to 


Restrict Traffic 
Ra MMMM ~SCS*é<sco.com 


This section lets you add, configure, modify, copy, and delete filter rules, 


Click Add to add a filter rule, or select a filter rule and click Modify, Copy, or Delete 


Filter Rules 
Any Out (farward/out) 


LDAP Out (forward/out) 
TelneSSL In (forward/in) 
Telney/SSL Out (torward/out) 


‘SelcL whet: th us dhol apply leas ee atcied TCP vom 


Sl srort carol ed es 2 the TP a 


a 


sash, which is dae roy 
Sem blyvabem 2 aide 


Re TOSAMP, spasiiythe “ears sort 
the sere amber the att and end 


Fee TOAD, spocittthe destination perranggs tt tie mle cho“es For ¢ 
en bn peg acrid Bo te ed el 


Bes TOME, specie the range of 2CMD packet pes hes Aus ele chee es 


CSVPN 4.0—7-27 


A firewall policy is comprised of rules. These rules are used to shape the traffic. The rules define 
whether the firewall should forward or drop the traffic. In creating a new policy, the 
administrator first has to create new rules. To create the new rules, complete the following steps: 


Step 1 Go to the Configuration>Policy Management>Traffic Management>Rules window. 
Step 2. From the Actions column, click Add. 


Step 3 From the Configuration>Policy Management>Traffic Management>Rules>Add window, define 
the new rule. 


The following is a description of the rule parameters: 

m Rule Name field—Enter the name of the filter rule. 

m Direction drop-down menu—Choose the data direction to which this rule applies: 
— Inbound—Into the Software Client. 
— Outbound—Out of the Software Client. 


= Action drop-down menu—Choose the action to take if the data traffic (packet) matches all 
parameters that follow: 


— Drop—Discard the packet. This is the default choice. 


— Forward—Allow the packet to pass. 
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m Protocol drop-down menu—This parameter refers to the IANA (Internet Assigned Numbers 
Authority) assigned protocol number in an IP packet. The descriptions include the IANA 
number, in brackets, for reference. Click the Protocol or Other drop-down menu button and 
choose the protocol to which this rule applies. 


— Any—Any protocol [255] (the default choice). 


— JICMP—Internet Control Message Protocol [1] (used by ping). If you choose this 
protocol, you should also configure ICMP Packet Type. 


— TCP—Transmission Control Protocol [6] (connection-oriented, for example: FTP, 
HTTP, SMTP, and Telnet). If you choose this protocol, you should configure TCP 
Connection and TCP/UDP Source Port or Destination Port. 

— EGP—Exterior Gateway Protocol [8] (used for routing to exterior networks). 

— JIGP—Interior Gateway Protocol [9] (used for routing within a domain). 

— UDP—User Datagram Protocol [17] (connectionless, for example: SNMP). If you 
choose this protocol, you should also configure TCP/UDP Source Port or Destination 
Port. 

— ESP—Encapsulation Security Payload [50] (applies to IPSec). 

— AH—Authentication Header [51] (applies to IPSec). 

— GRE—Generic Routing Encapsulation [47] (used by PPTP). 

— RSVP—Resource Reservation Protocol [46] (reserves bandwidth on routers). 

— JIGMP—Internet Group Management Protocol [2] (used in multicasting). 


— OSPF—Open Shortest Path First [89] (interior routing protocol). 


— Other—Other protocol not listed here. If you choose Other here, you must enter the 
IANA-assigned protocol number in the Other field. 


m= TCP Connection drop-down menu—Do not configure this field if you are using this rule for 
a client firewall filter. 


m Source Address—Specify the packet source address that this rule checks. 
— Network List drop-down menu—Click the Network List drop-down menu button and 


choose the configured network list that specifies the source addresses. A network list is a 
list of network addresses that are treated as a single object. 
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— IP Address field—Enter the source IP address in dotted decimal notation. The default is 
0.0.0.0. 


—  Wildcard-mask field—Enter the source address wildcard mask in dotted decimal 
notation. The default is 255.255.255.255. 


m Destination Address—Specify the packet destination address that this rule checks: 


— Network List drop-down menu—Click the Network List drop-down menu button and 
choose the configured network list that specifies the destination addresses. A network 
list is a list of network addresses that are treated as a single object. 


— IP Address field—Enter the destination IP address in dotted decimal notation. The 
default is 0.0.0.0. 


—  Wildcard-mask field—Enter the destination address wildcard mask in dotted decimal 
notation. The default is 255.255.255.255. 


m= TCP/UDP Source Port—If you chose TCP or UDP from the Protocol drop-down menu, 
choose the source port number that this rule checks. To do this, click the Port drop-down 
menu button and choose the process. 


m= TCP/UDP Destination Port—If you chose TCP or UDP from the Protocol drop-down menu, 


choose the destination port number that this rule checks. To do this, click Port drop-down 
menu button and choose the process. 


An example of a rule configuration is shown in the figure. The administrator wants to limit the 

remote user to using outbound HTTP traffic only when accessing the Internet. To accomplish 

this, the administrator configures the rule parameters as follows: 

m= Rule Name—HTTP Only 

= = Direction—Outbound 

= Action—Forward 

m = Protocol—TCP 

m Source and destination address—Ignored. The administrator is limiting the end-user to a 
protocol, HTTP, not a specific address. The end user can surf the web if they are using only 
HTTP. 


— TCP/UDP Source Port—Ignored. 


— TCP/UDP Destination Port—Port 80, HTTP. The administrator is limiting the remote 
user to using HTTP. 
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Note of caution, this configuration does not allow the user to use hostnames. The firewall will 
not pass Domain Name System (DNS) information. Another rule allowing DNS is advisable. 
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Step 2—Add a New Policy 
MMMM ~~SSS*S*«SCOWcom 


This section lets you add, configure, modify, copy, and delete filters, and assign rules to filters. 
Click Add Filter to adi a filter, or select a filter and click Modify, Copy, Delete, or Assign Rules to Filter 


Filter List Actions 


Private (Default) 
Public (Default) Add Filter 
Extormal (Default) 


Firewall Filter for VPN Client (Default) Assign Rules to Filter 


Modify Filter 
Copy Filter 


Delete Filter 


Configure and add a new filter 


Filter Name [CustomFW Filter —~—~—~sdName of the filter you are adding. The name must be unique 
Default Action[Drop =] Select the default action to take when no rules on this filter apply. 
Source Routing [~ Check to have this filter allow IP source routed packets to pass 
Fragments Cherk to have this filter allow fragmented TP packets to pass 


Description [blacks all incoming/allaws HTTP outbound 


Add Cancel 
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After the rules are defined, a new filter is added. Complete the following steps to create the new 
filter: 


Step 1 Go to Configuration>Policy Management>Traffic Management>Filters window. 
Step 2. Under the Actions column, click Add. 


Step 3 In the Configuration>Policy Management>Traffic Management>Filter>Add window, create the 
new filter. 


The following is a description of the new filter parameters: 
m Filter Name field—Enter a unique name for this filter. Maximum is 48 characters. 


m Default Action drop-down menu—Click the Default Action drop-down menu button and 
choose the action that this filter takes if a data packet does not match any of the rules on this 
filter. The choices are: 


— Drop = Discard the packet (the default choice). 
— Forward = Allow the packet to pass. 


— Drop and Log = Discard the packet and log a filter debugging event (FILTERDBG event 
class). See the following note. 


— Forward and Log = Allow the packet to pass and log a filter debugging event 
(FILTERDBG event class). See the following note. 
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Note The Log actions are intended for use only while debugging filter activity. Since they generate 
and log an event for every matched packet, they consume significant system resources and 
might seriously degrade performance. 


m Source Routing check box—lIgnored. Check the Source Routing check box to allow IP 
source routed packets to pass. A source-routed packet specifies its own route through the 
network and does not rely on the system to control forwarding. This box is unchecked by 
default. 


m Fragments check box—Ignored. Check the Fragments check box to allow fragmented IP 
packets to pass. Large data packets might be fragmented on their journey through networks, 
and the destination system reassembles them. This box is checked by default. 


m= Description field—Enter a description of this filter. This field is optional. It is a convenience 
for you or other administrators; use it to describe the purpose or use of the filter. The 
maximum number of characters is 255. 


In the example in the figure, the administrator defines a new filter, named Custom FW Filter. 
The default action is to drop any packets that do not match any firewall rules. 
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Step 3—Associate the New Rules 


with the Newly Created Policy 
MMMM ~SSS*S*«SCOWCOm 


This section lets you add, configure, modify, copy, and delete filters, and assign rules to filters 

Click Add Filter to add a filter, or select a filter and click Modify, Copy, Delete, or Assign Rules to Filter. 
Filter List Actions 

Private (Default) 


Add Filter 
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The next step is to add the rules created in the first step to the new filter created in the previous 
step. To do this, complete the following steps: 


Step 1 Go to Configuration>Policy Management>Traffic Management>Filters window. 
Step 2. Within the Filter List field, select the new filter. 


Step 3. Under the Actions column, click Assign rules to filter. The Configuration>Policy 
Management>Traffic Management>Filters>Assign Rules to Filters window opens. 


Step 4 Scroll through the Available Rules column and select the new rules. 


Step 5 Click Add under the Actions column. This action assigns the new rules to the new filter. 


In the example in the figure, the administrator adds the HTTP only (forward/out) rule to the 


custom firewall filter. 
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Step 4—Assign the New Policy 


to the CPP 
ee | Cisco.com 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter a 
new value to override base group values. 


ral IP! HW | 
VPN Client Firewall Policy 

Attribute Value Inherit? Description 

Select whether or not to require that the 
client firewall specified below be installed 
land active. Refer to the client documentation 
for details about using this feature. 


Firewall Cisco Integrated Client Firewall a Select the firewall vendor and product 
required for clients in this group. For client 


Vendor ID! —— firewalls not listed, select Custom Firewall 
land enter the vendor and product IDs. 
Custom| Product ID a Separate multiple product IDs with commas. 
Firewall To indicate all products by a particular 
vendor, enter product ID 255. The product 
Description] ld 
lescription is optional. 


@ Policy defined by remote firew 


© No Firewall 
Firewall Setting] © Firewall Required 
@ Firewall Optional 


Firewall Polic: © Policy Pushed (CPP) Select the policy for the protection provided 
—_ | Custom FW Filter by the client firewall. 


@p y from Server 


Cancel 
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The last step is to assign the custom firewall policy to a group’s firewall policy. To do this, 
complete the following steps: 


Step 1 Go to Configuration>User Management>Groups window and select a group. 
Step 2 Click Modify (which is not shown in the figure). 

Step 3 From the Firewall Policy row, select Policy Pushed (CPP). 

Step 4 From the Policy Pushed (CPP) drop-down menu, choose the new policy. 
Step 5 Click Apply. 


The next time a Software Client belonging to this group connects to the Concentrator, the new 
custom firewall filter policy is downloaded to the VPN Client. The Software Client forwards the 
new policy to the firewall. With the new policy, the remote user has access to the Internet via 
HTTP. Any HTTP inbound traffic associated with an outbound session is forwarded. Any 
unsolicited inbound HTTP, or any other protocol, traffic is dropped using the default rule. 
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Summary 


This topic summarizes what you learned in this lesson. 


Summary 
i | Cisco.com 


The Software Client supports three firewall 
features: 


° The AYT feature monitors the operation of a 


specific firewall. 


° The Stateful Firewall feature is always on, even 
when no VPN tunnels are established. 


¢ The CPP feature enables an administrator to 
push firewall policy to Software Clients. 
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Lab Exercise—Configuring Cisco VPN Client 
Firewall Features 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


Your task in this lab exercise is to install and configure the Cisco Virtual Private Network (VPN) 
Client and configure the Cisco VPN 3000 Series Concentrator to enable VPN encrypted tunnels 
using integrated firewall features. Work with your lab exercise partner to complete the following 
tasks: 

m= Complete the lab exercise setup. 

= Configure the Concentrator user group for split tunneling. 

™ Configure the Concentrator user group firewall for the AYT feature. 

m Test AYT with firewall required. 

= Configure AYT with the optional firewall feature. 

m Test AYT with the optional firewall feature. 

= Configure the Concentrator user group firewall for the CPP feature. 


= Test the CPP feature. 


m Use the stateful firewall (Always On) feature. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


Cisco.com 


Cisco 
VPN 3000 
192.168.P.0 10.0.P.0 


1 5 5 .10 


172.26.26.0 


Student PC with 
Cisco VPN Client 
172.26.26.P 


Scenario 


Your company wants to implement a Cisco VPN using split tunneling. You must configure both 
the remote Cisco VPN Clients and the Concentrators for remote access using integrated firewall 
features. 


Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify your equipment is setup as follows: 
m Ensure that your student PC is powered on. 
m Ensure your student PC IP addresses are configured correctly: 


— Primary IP address—172.26.26.P 
(where P = pod number) 


— Default gateway IP address—172.26.26.150 


m Ensure that your Concentrator is powered on. 
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Task 2—Configure the Concentrator User Group for Split Tunneling 


Step 1 
Step 2 


Step 3 


Step 4 


Step 5 
Step 6 
Step 7 


Step 8 

Step 9 

Step 10 
Step 11 
Step 12 
Step 13 
Step 14 


Step 15 


Step 16 


Split tunneling enables the remote client to browse the Internet via clear text while 
simultaneously accessing the corporate network via a secure tunnel. The secure tunnel protects 
the traffic to the corporate network. The Client Firewall application is intended to protect the 
Remote PC from the Internet. In this task, you will configure split tunneling in the Concentrator 
training user group. 


Note This procedure assumes that Windows 2000 is already running on the student PC. 


Launch Internet Explorer by double-clicking the desktop icon. 


Enter a Concentrator’s public interface IP address of 192.168.P.5 in the Internet Explorer 
Address field. Internet Explorer connects to the Cisco VPN 3000 Concentrator Series Manager. 


(where P = pod number) 


Log in to the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 


Login: admin 


Password: admin 


Note The username (login) and password are always case-sensitive. 


From the Configuration menu tree, choose Policy Management>Traffic Management> 
Network Lists. 


Click Add. 
Enter a list name: Private Network. 
Enter a network list: 10.0.P.0/0.0.0.255. 


(where P = pod number) 


Click Add. You just created a local list for the private network. 

From the Configuration menu tree, choose User Management>Groups. 

Select the training (Internally Configured) group from the Current Groups list. 
Click Modify Group. 

Select the Client Config tab. 

Choose the Split Tunneling Policy group box and select Only tunnel networks in list. 


From the Split Tunneling Network List drop-down menu, choose Private Network (the network 
list you just created). 


Click Apply and save your work. 


Remain logged into the Concentrator, and proceed to the following task. 
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Task 3—Configure the Concentrator User Group Firewall for the AYT 


Feature 


Step 1 
Step 2 
Step 3 
Step 4 
Step 5 
Step 6 


Step 7 
Step 8 
Step 9 


Complete the following steps to configure the Concentrator training user group firewall for the 
Are You There (AYT), required firewall, feature: 

Choose the training (Internally Configured) group from the Current Groups list. 

Click Modify Group. 

Select the Client FW tab. 

Choose the Firewall Setting group box and select Firewall Required. 

Choose the Firewall group box and select Network ICE BlackICE Defender from the list. 


Choose the Firewall Policy group box and note that Policy defined by remote firewall (AYT) is 
automatically selected. This is because the BlackICE Defender Firewall is only supported for 
AYT not Central Policy Protection (CPP). 


Note By using this configuration record, all Cisco VPN Clients become aware that they must have 
the BlackICE firewall running on their PC before the Concentrator will allow a tunneled 
connection. This also tells the VPN Client to poll for the BlackICE firewall every 30 seconds 
(hard-coded) and if it does not respond, to terminate the tunnel. 


Scroll down and click Apply. 
Save your work by clicking the Save Needed icon. 


Log out of the Concentrator and minimize the Internet Explorer window. 


Task 4—Test AYT with Firewall Required 


Step 1 


Step 2 


Step 3 


Step 4 


Complete the following steps to launch the Cisco VPN Client on your student PC to test the 
AYT configuration: 


Choose Start>Programs>Cisco Systems VPN Client>VPN Client. The Cisco VPN Client 
window opens. 


Verify that the connection entry is studentP. 
(where P = pod number) 


Verify that the IP address of the remote server is set to a Concentrator’s public interface IP 
address: 192.168.P.5. 


(where P = pod number) 


Click Connect. The Connection History window opens and several messages flash by quickly. 
Disregard these messages. Complete the following sub-steps: 


1. When prompted for a username, enter studentP. 
(where P = pod number) 


2. When prompted for a password, enter studentP. 
(where P = pod number) 
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Step 5 


Click OK. 


You should have received an event notification. Answer the following questions: 


Ql) ~~ What is the notification text? 


A) 


Q2) Which firewall did the client expect to see running on the local student PC? 


A) 


Q3) — Click Close to close the Cisco Systems VPN Client Notification window. Answer the 
following questions: Did the Cisco VPN Client actually connect? 


A) 


The Cisco VPN Client should not have allowed the connection since the BlackICE Defender 
firewall specified is not installed or operational on this student PC. 


Task 5—Configure AYT with the Optional Firewall Feature 


Step 1 
Step 2 


Step 3 


Step 4 
Step 5 
Step 6 
Step 7 
Step 8 
Step 9 


Step 10 


Step 11 


Suppose you want to use AYT with a specific firewall, but you still want people to be able to 
connect even if they do not have the firewall installed yet. In effect, you want to provide the 
remote users with a grace period in which to install a specific firewall on their PCs. Complete the 
following steps to enable an optional firewall: 

Maximize the Internet Explorer window. 


Enter a Concentrator public interface IP address in the Internet Explorer Address field: 
192.168.P.5 (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 
Concentrator Series Manager. 


Log in to the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 


Login: admin 


Password: admin 


Note The username (login) and password are always case-sensitive. 


From the Configuration menu tree, choose User Management>Groups. 

Choose the training (Internally Configured) group from the Current Groups list. 
Click Modify Group. 

Select the Client FW tab. 

Choose the Firewall Setting group box and select Firewall Optional. 


Choose the Firewall group box and choose Network ICE BlackICE Defender from the list. By 
default, it should already be selected. 


Click Apply and save your work. 


Log out of the Concentrator and minimize the Internet Explorer window. 
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Task 6—Test AYT with the Optional Firewall Feature 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 
Step 7 


Complete the following steps to launch the Cisco VPN Client on your student PC to test the 
AYT, optional firewall configuration: 


Ensure that the Cisco Systems VPN Client window is open. If it is not open, choose 
Start>Programs>Cisco Systems VPN Client>VPN Client from the main menu. 


Select studentP within the Connection Entry group box. 


(where P = pod number) 


Verify that the IP address of the remote server is set to a Concentrator’s public interface IP 
address: 192.168.P.5. 


(where P = pod number) 


Click Connect. The Connection History window opens and several messages flash by quickly. 
Disregard these messages. Complete the following sub-steps: 


1. When prompted for a username, enter studentP. 
(where P = pod number) 


2. When prompted for a password, enter studentP. 
(where P = pod number) 


Click OK. 
You should have received an event notification. Answer the following questions: 
Q4) ~~ What is the notification text? 


A) 


Q5) What firewall did the Cisco VPN Client expect to see running on the local student PC? 


A) 
Q6) When you click Close, does the Cisco VPN Client still connect? 


A) 


The Cisco VPN Client should still connect even if the firewall is not found, installed, and 
operational. The Cisco VPN Client icon in the student PCs’ system tray indicates a connection. 


Right-click the Cisco VPN Client icon in the student PC’s system tray. 


Select Disconnect to disconnect the client. 


Task 7—Configure the Concentrator User Group for the CPP Feature 


Step 1 


Now that you have configured and verified the AYT feature, you need to configure and verify 
the Central Policy Protection (CPP) feature. Follow these instructions to configure the user 
group CPP feature: 


Maximize the Internet Explorer window. 


Lab 7-6 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Step 2 


Step 3 


Step 4 
Step 5 
Step 6 
Step 7 
Step 8 


Step 9 


Step 10 


Step 11 


Step 12 


Enter a Concentrator’s public interface IP address in the Internet Explorer Address field: 
192.168.P.5 (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 
Concentrator Series Manager. 


Log in to the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 


Login: admin 


Password: admin 


Note The username (login) and password are always case-sensitive. 


From the Configuration menu tree, choose User Management>Groups. 

Choose the training (Internally Configured) group from the Current Groups list. 

Click Modify Group. 

Select the Client FW tab. 

Choose the Firewall Setting group box and select Firewall Required. 

Choose the Firewall group box and choose Cisco Integrated Client Firewall from the list. 


Choose the Firewall Policy group box and note that Policy Pushed (CPP) is automatically 
selected. This is because the Cisco Integrated Client (CIC) firewall only supports CPP and not 
AYT. 


Choose Firewall Filter for VPN Client (Default) from the Firewall Policy drop-down menu. 


Note This is the default Cisco VPN Client CPP policy defined in the 3.5 and higher Cisco VPN 3000 
Series Concentrator software release. This policy blocks all inbound traffic on the Cisco VPN 
Client that is not related to any outbound traffic. This is essentially the same as the Cisco 
Integrated Client Stateful Firewall (Always On) policy, except this policy only applies when the 
Cisco VPN Client is connected and using split tunneling. 


Click Apply and save your work. 


Log out of the Concentrator and minimize the Internet Explorer window. 


You have configured CPP for the Concentrator training user group. Because we enabled split 
tunneling in Task 1, the client should connect and accept the pushed CPP policy designated in 
the training user group record. Now you need to test your CPP configuration. 


Task 8—Test the CPP Feature 


Step 1 


Step 2 


In this task you will attempt to connect to the Concentrator using the Cisco VPN Client running 
the Cisco Integrated Client Firewall and a pushed CPP policy. Complete the following steps: 


Ensure that the Cisco Systems VPN Client window is open. If it is not open, choose 
Start>Programs>Cisco Systems VPN Client>VPN Client from the main menu. 


Select studentP within the Connection Entry group box. 


(where P = pod number) 
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Step 3 Verify that the IP address of the remote server is set to a Concentrator’s public interface IP 
address of 192.168.P.5. 


(where P = pod number) 
Step 4 Click Options. A popup menu opens. 
Step 5 Ensure the Stateful Firewall (Always On) option is off (not selected). 


Step 6 Click Connect. The Connection History window opens and several messages flash by quickly. 
Disregard these messages. Complete the following sub-steps: 


1. When prompted for a username, enter studentP. 
(where P = pod number) 


2. When prompted for a password, enter studentP. 
(where P = pod number) 


Step 7 Click OK. 
The client should connect. 


Step 8 Right-click the Cisco VPN Client icon in the student PC’s system tray and choose Statistics. 
The Cisco Systems VPN Client Statistics window opens. 


Step9 Select the Firewall tab and view the attributes of this connection. Answer the following 
questions: 


Q7) What personal firewall is running on this student PC? 


A) 


Q8) What firewall policy is active? 


A) 


Step 10 Select the Tunnel Details tab and leave it open. 
Step 11 Note the number of encrypted and decrypted packets. 
Step 12 Open a command prompt and ping your Concentrator’s private interface. 


View the Statistics tab again. Answer the following question: 


Q9) Did the encrypted and decrypted packets count change? 


A) 


The encrypted number should have increased since you are connected to the Concentrator 
through the secure tunnel. 


Step 13 Have one of the other training pods open a command prompt from the desktop icon and ping 
your student PC at 172.26.26.P. 


(where P = pod number) 


Answer the following question: 
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Q10) Was the ping successful? 


A) 


The other students should not be able to ping your student PC because the filter is blocking all 
inbound sessions. 


Step 14 Attempt to ping 172.26.26.150 from your student PC, and answer the following question: 
Ql11) Was the ping successful? 


A) 


You should be able to ping 172.26.26.150 because the filter allows outbound sessions. 


Step 15 Close the connection status window. Leave the client connected. 


Task 9—Use the Stateful Firewall (Always On) Feature 


Complete the following steps to enable the Cisco Integrated Client Stateful Firewall (Always 
On) feature: 


Step 1 Ensure that the Cisco Systems VPN Client window is open. If it is not open, choose 
Start>Programs>Cisco Systems VPN Client>VPN Client from the main menu. 


Step 2 Click Options. A popup menu opens. 
Step 3 Enable the Stateful Firewall (Always On) option (is selected). 


Step 4 Disconnect the Cisco VPN Client. Now that the Cisco VPN Client connection has been 
terminated, you will test to see if the Stateful Firewall (Always On) policy is truly always on. 


Step 5 Open a command prompt and ping the IP address of another pod’s PC (172.26.26.Q). 


(where Q = peer pod number) 


Note Ensure that the other pod has disabled the Stateful Firewall feature first. 


Answer the following question: 


Q12) Were you able to ping the other pod’s PC? 


A) 


Step 6 You should be able to ping the other pod’s PC as the Stateful Firewall (Always On) policy 
always allows inbound sessions that are related to outbound requests. 


Step 7 Have another pod attempt to ping your PC at 172.26.26.P. 


(where P = pod number) 


Answer the following question: 


Q13) Was the other pod able to ping your PC? 
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A) 


The other pod should not be able to ping your PC since the Stateful Firewall (Always On) policy 
always drops inbound packets not related to outbound sessions. This policy applies even when 
the client is not operating. Continue with the following steps to see what happens when you turn 
off the Stateful Firewall (Always On) feature. 


Step 8 Open the Cisco VPN Client by choosing Start>Programs>Cisco Systems VPN Client>VPN 
Client. 


Step9 Select studentP within the Connection Entry group box. 
(where P = pod number) 
Step 10 Click Options. A popup menu opens. 
Step 11 Select the Stateful Firewall (Always On) option to turn it off and deselect it. 
Step 12 Close the Cisco VPN Client window. 
Step 13 Have another pod ping your PC at 172.26.26.P. 


(where P = pod number) 
Answer the following question: 
Q14)_ Was the other pod able to ping your PC? 


A) 


The other pod should be able to ping your PC since the Stateful Firewall (Always On) feature 
has been tured off. 


Step 14 Close all open windows. 
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Configure the Cisco Virtual 
Private Network Client Auto- 
Initiation Feature 


Overview 


This lesson explains how to configure the Cisco VPN Software Client auto-initiation feature. 


After presenting an overview of the feature, the lesson shows you each major step of the 


configuration. It includes the following topics: 


Objectives 

Overview of the Cisco VPN Software Client auto-initiation feature 
Configure the Cisco VPN Software Client auto-initiation feature 
Summary 


Lab exercise 


Objectives 


8-2 


This topic lists the lesson’s objectives. 


Objectives 
RM MMMM ~S~S!S*«SCO.com 


Upon completion of this lesson, you will be 
able to perform the following tasks: 


¢ Configure the vpnclient.ini file. 


¢ Configure the Cisco VPN Software Client 
auto-initiation parameters. 


e Pause and resume the auto-initiation feature. 


* Monitor the progress of an auto-initiated IPSec 
tunnel. 
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Overview of the Cisco VPN Software Client 
Auto-Initiation Feature 


This topic presents an overview of the Cisco Virtual Private Network (VPN) Software Client 
auto-initiation feature. 


Auto-Initiation Feature 


Cisco.com 


ABC Corporation WLAN 


Cisco VPN 3000 
Series 
Concentrator 


Auto-initiation 
IPSec tunnel 


Wireless LAN connections are often insecure. Using a Software Client to connect to the 
concentrator over an encrypted wireless connection resolves the security problem. However, 
the local wireless users must be burdened with establishing the encrypted wireless VPN 
connection on the corporate LAN. The auto-initiation feature intends to alleviate this burden 
from the user by providing an automated method for establishing VPN network connections. 
The intent is to achieve as seamless and secure an environment as possible with the software 
technology currently available. 
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Auto-Initiation Overview 


laid ABC Corporation 
File Edit Format Help r a 
lait tng jacjoncistetoctab, wma : | 192.168.1 5 p11 
Al = u . al. . 
cee at ee | | _|172.26.26.0/2 | 


EnabletLog=1 


172.26.26.1 Cisco VPN 3000 
i Series 
Concentrator 


File Edit Format Help 
[main] 
Description= said eed 
a ceraae e812 Auto-initiation: Enabled 
ecoupnanestrayntng Wireless network: 172.26.26.0/24 
eer ab] lenc_GroupPwd=9E9591E283557E8929C14 VPN Client profile: student1 
Nee Von hel cerec 0-0 Enablerspconnect=0 c trator: 192.168.1 
Connect jonentry=student1 Pepconnecttypesd oncentrator: 15 
rsPCcommand= 


Kil 
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Automatic VPN initiation (auto-initiation) provides secure connections within an on-site 
wireless LAN (WLAN) environment through a Concentrator. When auto-initiation is 
configured on the Software Client, the Software Client: 
m Reads the VPNClient.ini file after one of the following: 

— System startup 

— PC standby or hibernation 

—  Auto-initiation configuration changes 

— IP address changes 

— IPSec tunnel disconnect 


m Detects by reading the VPNClient.ini file if the auto-initiation feature is enabled. 


m= Determines whether the PC resides on one of the networks defined in the VPNClient.ini file 
auto-initiation network list. 


m Determines which Software Client attributes to use when establishing an IPSec tunnel. The 
VPNClient.ini file defines where to find the attributes, via the .PCF file listed in the 


connection entry field. The .PCF file defines the Software Client connection attributes. 


m Initiates a VPN connection using the attributes found in the connection .PCF file. 
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m= Prompts the user to authenticate, and allows that user network access. 


In the figure, there is a wireless PC located on the ABC Corporation WLAN. After system 
startup, the Software Client checks the VPNClient.ini file. First, the Software Client detects that 
the auto-initiation feature is enabled. Next, the Software Client checks the IP address of the 
NIC card, 172.26.26.1. From the NIC IP address, the Software Client determines that the PC 
resides on a network defined in the VPNClient.ini file, 172.26.26.0/24. The last step is to 
establish an IPSec tunnel using the information found in the connection entry profile. In this 
instance, the connection entry is student!.PCF. Using the information found in the 
student1.PCF file, the Software Client establishes an IPSec tunnel to the Concentrator at IP 
address 192.168.1.5. 
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Configure the Cisco VPN Software Client Auto- 
Initiation Feature 


8-6 


Auto-Initiation Administrative 


Requirements 
it Cisco.com 


Cisco VPN 3000 
Series 
Concentrator 


Auto-initiation Administrative Requirements: 
* Network IP addresses 
¢ Subnet masks 
° .pcf files 


Systems, Inc. All rights reserved. 


In the VPNClient.ini file, the network administrator can configure a list of up to 64 matched 
networks (IP address/subnet masks) and corresponding connection profiles (.pef files). 
Typically, the administrator enters one network address and .PCF filename per site. When the 
Software Client detects that the PC resides on one of the networks in the auto-initiation network 
list, it automatically establishes a VPN connection using the profile listed for that network. 


Before the auto-initiation user begins, the administrator should gather the information they need 
to configure auto-initiation: 


m= The network IP addresses for the client network, 172.26.26.0. 
m The subnet mask for the client network, 255.255.255.0. 


m The filenames for all VPN connection entries, .PCF filenames, which users are using for 
their auto-initiation connections, student! .PCF. 


A user might always report to the same office. This probably requires one network address and 
.PCF filename. In other instances, another user might travel between several offices. This may 
require a network address and .PCF file name for each office visited. That depends on the 
company’s network-addressing scheme. 
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Configuration Parameters 
a Cisco.com 


Global profile parameters 
ini 


File Edit Format Help 


[main] a 
AutoInitiationList=LocLab, RMTLab 
|AutoInitiationenable=1 
lAutoInitiationRetryInterval=1 
EnableLog=1 


: Cisco VPN Client Parameters 
Foguevel=3 =lnLx! 


(LOG. DIALER] Connection Entries Status Certificates Log | Options Help 

Loglevel=3 

[LOG. CVPND] 2s a) ai *_Apolication Launcher... Cisco Systems 
U ‘Automatic VPN Initiation... 

Connect New Import . 
Loglevel=3 Connection Entiies | Certiicates | Log | 


(LOG. ceRT] 

LogLevel=3 Connection Entry Eretrli fstedat ele) Transport 

(Loc. rpsec] scept ‘Simple Mode CtreM 1PSec/UDP. 

Loglevel=3 

Tues. CLT] student! Preferences... IPSec/UDP 

LogLevel=3 

[LOG. FIREWALL] 

LogLevel=3 Not connected. 

[Loctab] 

INetwork=172.26.0.0 

Mask=255.255.0.0 

connect jonentry=student1 

([RMTLab] 

INetwork=172.27.0.0 

IMask=255.255.0.0 

Connect ionentry=student1 a 
dM: 


Ll 


Windows Logon Properties... 
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Groups of configuration parameters define the connection entries that remote users use to 
connect to a VPN device. There are two files: a global settings file and an individual connection 
profile. A global settings file defines the rules for all remote users; it contains parameters for 
the Software Client as a whole and auto-initiation parameters. The name of the global settings 
file is vpnclient.ini. Individual connection profiles contain the parameter settings for each VPN 
connection and are unique to that connection entry. Individual profiles have a .pcf extension 
(not shown). 


The administrator must edit the global settings file to enable the feature on the VPN client to 
configure auto-initiation for users on the network. By default, auto-initiation parameters are not 
present on the global settings file (vpnclient.ini). The administrator must add parameters to the 
vpnclient.ini file via a text editor. 


Through the Software Client graphical user interface (GUD) application, the administrator has 
the ability to enable or disable auto-initiation and to change the retry interval. The administrator 
must choose Start>Programs>Cisco Systems VPN Client>VPN Client to access these GUI 
parameters. Administrators select Automatic VPN Initiation from the Options drop-down 


menu. 


Note When auto-initiation is not present in the global settings file, the automatic VPN Initiation 
menu option does not appear in the Options drop-down menu. 
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VPNClient.ini File Parameters 
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The global settings file is created in one of two ways: when an administrator or a remote user 
creates connection entries using the VPN Client application (connection wizard) or when the 
administrator creates global settings using a text editor. In the first case, the remote user is also 
creating a file that can be edited by a text editor. The administrator can start with a global 
settings file generated through the GUI and then edit it. This approach lets you control some 
parameters that are not available in the Software Client GUI application such as the auto- 
initiation feature. The default location for the global settings file is C:\Program Files\Cisco 


Systems\VPN Client. 


There are two sets of auto-initiation fields, auto-initiation parameters and auto-initiation 


sections. The VPNClient.ini file auto-initiation parameters are as follows: 
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a AutolnitiationList—A list of auto-initiation related section names within the INI file. Each 


of these sections contains a network address, subnet mask, and ConnectionEntry. If the PC 
is resident on one of these listed networks, the Software Client performs auto-initiation, if 
enabled. The auto-initiation list is evaluated in the order in which it was entered. In the 
above example, LocLab section is evaluated first, RMTLab section tested second, and so 
on. The VPNClient.ini file can contain a maximum of 64 entries. 


AutoInitiationEnable—Enables auto-initiation, which is an automated method for 
establishing a wireless VPN connection in a LAN environment. The values are 0 = Disable 
and | = Enable. 


AutoInitiationRetryInterval—Specifies the time to wait, in minutes, before retrying auto- 


initiation after a connection attempt failure. The allowable range of retry values is one to 
ten minutes, with a default value of one minute. 
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The VPNClient.ini auto-initiation section defines the auto-initiation networks and related .PCF 
file. Ifa PC resides on the defined network and auto-initiation is enabled, the Software Client 
will establish an IPSec tunnel automatically. The connection entry defines which connection 
profile, PCF file, to use when making the VPN connection. Entries from the .PCF file are used 
to pre-configure the VPN Client. The .PCF parameters define such values as the Concentrator 
IP address and users group name. VPNClient.ini file auto-initiation section parameters are as 
follows: 


m [section name|—Identifies one of the names listed in the AutoInitiationList field. Each 
section contains a network address, subnet mask, and connection entry. 


m= Network—Specifies the IP address of a network the PC may reside on. 
m Mask—Specifies the subnet mask for that network. 


™ ConnectionEntry—lIdentifies the connection entry profile to be used if the PC resides on 
the preceding network. 


In the figure, there are two VPNClient.ini files, a default and an edited version. The left hand 
one is the result of adding an IPSec tunnel via the connection wizard. Notice there are no auto- 
initiation parameters. On the right is a text-edited version of the file. The top three auto- 
initiation parameters enable the feature. The Auto-initiation section parameters define the 
network address, subnet mask, and .pcf file name, student1. The network address of the local 
network is 172.26.0.0/255.255.0.0. The individual profile (.PCF) file linked to this address is 
student1. When auto-initiation is enabled, if the PC is resident on the 172.26.26.0/24 network, 


the Software Client will attempt to establish an IPSec tunnel using the attributes contained in 
the student1.PCF file. 
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Cisco VPN Software Client Parameters 
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# ¥PN Client | Automatic ¥PN Initiation 9g x! 


I” Enable automatic VPN initiation 


Retry Interval: (1 to 10 minutes) 
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The Options pop-up menu has an Automatic VPN Initiation dialog menu item. The Automatic 
VPN Initiation menu allows the user to enable or disable the auto-initiation feature, as well as 
modify the retry interval. The retry interval specifies, in minutes, the amount of time the client 


will wait before retrying an auto-initiation connection attempt. Both values are stored in the 


vpnclient.ini file. 
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Auto-Initiate Connection 


Cisco.com 


=i01x) 


Conn ries Status Certificates Log Options Help 


= a NS 4 Cisco Systems 
CancelConnect New Import Modify Delete k 
Connection Enties | Cettiicates | Log | 


Connection Entiy [Host [Transport 
scep! 192.168.1.5 IPSec/UDP 
student! 192.168.1.5 IPSec/UDP 


[Authenticating user... COTTE) 


# ¥PN Client | User Authentication for “studenti™ 


Enter Username and Password. 
Cisco SYSTEMS UY cemame: 


|studentt 


}. Password: ieee 
cont_| 


CSVPN 4.0—8-11 


When the Software Client detects the PC resides on one of the networks in the auto-initiation 
network list, it automatically tries to establish a VPN connection using the linked profile for 
that network. The Software Client informs you when the VPN connection is auto initiating and 
at various stages of the auto-initiated connection process. 


In the example above, when the PC launches an IPSec tunnel, the auto-initiating VPN 
connection window opens. In the connection history window, the Software Client provides 
progress updates messages. When it is time to authenticate the remote user, the user 
authentication window will open and prompt the remote user for a username and password. 
When successfully established, a closed yellow lock appears in the system tray. When auto- 
initiation is configured, some Software Client status displays and dialog boxes differ slightly 
from standard connection dialog boxes to indicate to the user that auto-initiation is occurring. 
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Auto-Initiation Termination 


Auto-initiation 
termination message 
x 


= You have terminated your VPN connection, 
i) You no longer have access to your network resources, 
4 VPN connection will be auto-initiated every 1 minutes. 
Do you wish to temporarily suspend the auto-initiation Functionality? 


Suspend Do not Suspend 


Cisco VPN 
Client menu 


YPN Client... 

Resume Auto-initiation 
Disable Auto-initiation 
Stateful Firewall (Always On) 
About YPN Client... 
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When a user disconnects via the Lock icon in the system tray or via the connection status dialog 
box, the Software Client will behave differently than manually established IPSec tunnels by 
displaying a Cisco Systems Software Client termination message box. If the user selects Do 
Not Suspend in the message box, the Software Client will terminate and auto-initiation will be 
retried later. The retry interval is user configurable. If the user selects Yes, the Software Client 
enters the suspended auto-initiation state, and an open yellow Lock icon is displayed in the 
system tray. Auto-initiation is temporarily suspended. 


The VPN Client menu is displayed when the user right clicks the open yellow Lock icon in the 
system tray. The VPN Client menu choices are Resume Auto-initiation or Disable Auto- 
initiation. The Resume Auto-initiation menu item will cause the Software Client to immediately 
auto-initiate a VPN connection. The Disable Auto-initiation menu item will cause the Software 
Client to disable auto-initiation in the vpnclient.ini file. The remote user can also disable auto- 
initiation from the Software Client GUI>Options>Automatic VPN Initiation window by de- 
selecting the Enable check box. Once disabled, the Software Client no longer automatically 
attempts to launch the VPN Client. It remains disabled until the feature is manually re-enabled. 
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Cisco VPN Software Client Event Log 


# ¥PN Client | Log Window =10) x) 


Cisco Systems VPN Client Version 4.0.1 (Rel) 

Copyright (C) 1998-2003 Cisco Systems, Inc. All Rights Reserved. 
Client Type(s): Windows, WinNT 

Running on: 5.0.2195 


193 11:44:50.501 06/09/03 Sev=Info/6 GUI/Ox63B00003 
Auto-initiation has been resumed- 


194 11:44:50.812 06/09/03 Sev=Info/4 CM/Ox63100002 
Begin connection process 


igs 11:44:50.822 O6/09/03 Sev=Info/4 CM/Ox63100004 
Establish secure commection using Ethernet 


196 11:44:50.822 06/09/03 Sev=Info/4 CM/Ox631000Z24 
Attempt connection with server "192Z.168_1_5" 


197 11:44:50.822 06/09/03 Sev=Info/6 IKE/0x6300003B 
Attempting to establish a connection with 192.168.1.5. 


Save | Log Settings | Clear | 
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The administrator can verify the progress of the auto-initiated tunnel by accessing the Cisco 
Systems IPSec Log viewer. In the figure, auto-initiation was resumed. The IPSec tunnel 
attempted to connect to the destination IP address, 192.168.1.5. The destination IP address was 
located in the PC’s .PCF file. 
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Summary 


This topic summarizes what you learned in this lesson. 


Summary 
ey | Cisco.com 


° Auto-initiation enables a Cisco VPN Software 
Client to establish an IPSec tunnel 
automatically. 


° Auto-initiation is initiated after system restart, 


standby or hibernation mode, IP address 
change, auto-initiation configuration change, 
or IPSec tunnel disconnect. 


° Auto-initiation parameters are added to the 
vpnclient.ini file via a text editor. 


° A .pcf filename, network address, and subnet 
mask are needed for each site. 
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Lab Exercise—Configure the Cisco VPN Client 
Auto-Initiation Feature 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


Your task in this lab exercise is to configure and monitor the Cisco Virtual Private Network 
(VPN) client auto-initiation. Work with your lab partner to complete the following tasks: 


= Complete the lab exercise setup. 

m Manually launch the Cisco VPN Client. 

m Verify the auto-initiation feature is not enabled. 

m Enable the auto-initiation feature. 

m Establish an IPSec tunnel using the auto-initiation feature. 
m Disconnect and re-establish the IPSec tunnel. 

m Suspend and resume the auto-initiation feature. 


= Disable the auto-initiation feature. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


Cisco.com 


Cisco VPN Client 192.168.P.0 


Oe” >, 172.26.26.0 . ——s 
172.26.26.P 10 aid 
= -150 
StudentPC 
RTS 


Cisco VPN 
3000 Series 
Concentrator 


10.0.P.0 


Scenario 


Your employer has asked you to provide better security for your wireless users. You will 
configure users for the Cisco VPN Client auto-initiation. 


Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify your equipment as follows: 
m Ensure that your student PC is powered on. 
m Ensure your student PC IP addresses are configured correctly: 


— Primary IP address—172.26.26.P 
(where P = pod number) 


— Default gateway IP address—172.26.26.150 


m Ensure that your Concentrator is powered on. 
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Task 2—Manually Launch the Cisco VPN Client 


Step 1 
Step 2 


Step 3 


Step 4 


Step 5 
Step 6 


In this task, verify you can establish an IPSec tunnel manually. Complete the following steps to 
launch the Cisco VPN Client on your student PC: 


Choose Start>Programs>Cisco Systems VPN Client>VPN Client. 
Verify that the connection entry is studentP. 
(where P = pod number) 


Verify that the IP address of remote server is set to a Cisco VPN 3000 Series Concentrator’s 
public interface IP address of 192.168.P.5. 


(where P = pod number) 


Click Connect. The Connection History window opens and several messages flash by quickly. 
Complete the following sub-steps: 


1. Enter studentP when you are prompted for a username. 
(where P = pod number) 


2. Enter studentP when you are prompted to enter a password. 
(where P = pod number) 


Click OK. The window closes and a Cisco VPN Client icon appears in the system tray. 


Disconnect the IPSec tunnel. 


Task 3—Verify the Auto-Initiation Feature is Not Enabled 


Step 1 


Step 2 


Step 3 
Step 4 


Step 5 


Step 6 


The auto-initiation feature is configured manually on the Cisco VPN Client. Complete the 
following steps to view the default vpnclient.ini file: 


Go to the My Computer>Local Disk (C:)>Program Files >Cisco Systems >VPN Client folder on 
the student PC. The Cisco VPN Client folder opens. 


Select the vpnclient.ini file in the Cisco VPN Client window, and open it with Notepad. 
Examine the contents. 


Close the Notepad window and minimize the Cisco VPN Client window. 


Choose Start>Programs>Cisco Systems VPN Client>VPN Client. The Cisco Systems VPN 
Client window opens. 


Select Options from the drop-down menu and verify that the Automatic VPN Initiation menu 
selection is not present. 


Close the Cisco Systems VPN Client window. 


Task 4—Enable the Auto-Initiation Feature 


Step 1 


Complete the following steps to configure the vpnclient.ini file for auto-initiation: 


Maximize the Cisco VPN Client folder. 


Note If the VPN Client folder contains a file called internal.ini, copy the contents of this file to the 
beginning of the vpnclient.ini file before continuing. 
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Step 2 Select the vpnclient.ini file from the Cisco VPN Client window, and open it with Notepad. 


Step 3 Using the text edit feature of Notepad, add the auto-initiation parameters to the vpnclient.ini file. 
Directly after [main], add the following lines: 


AutolInitiationList=studentP 
AutoInitiationEnable=0 
AutolnitiationRetryInterval=1 

(where P = pod number, do not add this line to the file) 


Step 4 Using the text-editing feature of Notepad, add the auto-initiation list parameters to the vpnclient 
file. Add the following lines at the bottom of the file: 


[studentP] 

Network=172.26.26.0 

Mask=255.255.255.0 

ConnectionEntry=studentP 

(where P = pod number, do not add this line to the file) 
Step 5 Select File>Save from the Notepad tool bar. 


Step 6 Close Notepad and the Cisco VPN Client. 


Step 7 Choose Start>Programs>Cisco Systems VPN Client>VPN Client. The Cisco Systems VPN 
Client window opens. 


Step 8 Select Options. 
Step9 Select Automatic VPN Initiation from the Options drop-down menu. 
Step 10 Select the Enable check box from the Automatic VPN Initiation window. 


Step 11 Click Apply from the Automatic VPN Initiation window. 


Task 5—Establish an IPSec Tunnel Using the Auto-nitiation Feature 


Upon closing the Cisco Systems VPN Client window, you started the auto-initiation process. 
The Cisco VPN Client re-reads the vpnclient file. Due to the editing completed in the last task, 
auto-initiation is now enabled with a re-try timer of 1 minute. In approximately one minute, an 
auto-initiating VPN connection window should appear. The auto-initiating VPN connection to 
192.168.P.5 message window opens. This window is followed closely by the User authentication 
of studentP window. Complete the following steps in the User authentication of studentP 
window: 


Step 1 Enter studentP when you are prompted for a username. 
(where P = pod number) 

Step 2. Enter studentP when you are prompted for a password. 
(where P = pod number) 

Step 3 Click OK. 
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The window closes, the Cisco VPN Client icon appears in the system tray and the auto-initiated 
VPN connection is successfully established. 


Task 6—Disconnect and Re-establish the IPSec Tunnel 


Upon disconnecting an IPSec tunnel, you are prompted to resume or suspend the auto-initiation 
feature. If you answer No, the auto-initiation feature resumes. Complete the following steps to 
disconnect and resume the auto-initiation: 


Step 1 Disconnect your VPN connection using the Cisco VPN Client icon in the student PC’s system 
tray. The VPN Client window opens. 


Step 2 Answer the following questions from the Cisco Systems VPN Client window: 
Ql) If you click Suspend, what will happen? (Do not click Suspend at this time.) 


A) 


Step 3 Click Do not Suspend. 


Q2) By clicking Do not Suspend, what happens? 


A) 


Step 4 The auto-initiating process resumes. After approximately 1 minute, the auto-initiating VPN 
connection to 192.168.P.5 message window opens. This window is followed closely by the User 
authentication of studentP window. Complete the following sub-steps in the User authentication 
of studentP window: 


1. Enter studentP when you are prompted for a username. 
(where P = pod number) 


2. Enter studentP when you are prompted for a password. 
(where P = pod number) 


3. Click OK. 


The window closes, the Cisco VPN Client icon appears in the system tray, and the auto-initiated 
VPN connection is successfully established. 


Task 7—Suspend and Resume the AutoA-hitiation Feature 
In this task, you will disconnect the IPSec tunnel, and suspend auto-initiation. 


Step 1 Disconnect your VPN connection using the Cisco VPN Client icon in the student PC’s system 
tray. The VPN Client window opens. 


Step 2 Click Suspend in the Cisco Systems VPN Client window, and answer the following questions: 
Q3) — What happens to the VPN auto-initiation? 


A) 
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Step 3 
Step 4 


Step 5 


Right click the Cisco VPN Client icon. The Cisco VPN Client menu is displayed. 


Select Resume Auto-initiation and answer the following question. 
Q4) — What happens? 


A) 


Complete the following sub-steps in the User authentication of studentP window: 


1. Enter studentP when you are prompted for a username. 
(where P = pod number) 


2. Enter studentP when you are prompted for a password. 
(where P = pod number) 


3. Click OK. The window disappears and the Cisco VPN Client icon appears in the system 
tray. 


Task 8—Disable the Auto-Initiation Feature 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


Step 8 
Step 9 
Step 10 


In this task, you will disable then manually re-enable auto-initiation. 


Disconnect your VPN connection using the Cisco VPN Client icon in the student PC’s system 
tray). The VPN Client window opens. 


Click Suspend in the VPN Client window. The Auto-initiation feature is suspended. 


Right click the Cisco VPN Client icon on the system tray. The Cisco VPN Client menu is 
displayed. 


Select Disable Auto-initiation. The VPN Client window opens. From the VPN Client window, 
answer the following questions: 


Q5) If you click Disable, what will happen? 


A) 


Click Disable. 


Go to the My Computer>Local Disk (C:)>Program Files >Cisco Systems >VPN Client folder on 
the student PC. The Cisco VPN Client folder opens. 


Select the vpnclient.ini file from the Cisco VPN Client window, and open it with Notepad. 
Answer the following questions after you have viewed the file: 


Q6)  AutoInitiationEnable field equals 0. What does this mean? 


A) 


Close Notepad. 
Close the Cisco VPN Client window. The auto-initiation feature is disabled. 


Once auto-initiate is disabled, you must re-enable it manually. Choose Start>Programs>Cisco 
Systems VPN Client>VPN Client to re-enable auto-initiation. The Cisco Systems VPN Client 
window opens. 
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Step 11 


Step 12 


Step 13 


Step 14 


Step 15 


Step 16 


Step 17 


Click Options. The Options drop-down menu opens. 


Select Automatic VPN Initiation. The Automatic VPN Initiation window opens. 
Q7) What is the status of Automatic VPN Initiation? 


A) 


Select Enable and click Apply. 


Close the Cisco Systems VPN Client window. Auto-initiation is re-enabled. The auto-initiation 
process should begin immediately. 


Complete the following sub-steps in the User Authentication of StudentP window: 


1. Enter studentP when you are prompted for a username. 
(where P = pod number) 


2. Enter studentP when you are prompted for a password. 
(where P = pod number) 


3. Click OK. 


The window closes and the Cisco VPN Client icon appears in the system tray. Auto-initiation has 
resumed. 


Complete the following sub-steps to disable auto-initiation: 


1. Double click the Cisco VPN Client icon in the student PC’s system tray. The VPN Client 
window opens. 


2. Click Disconnect. The Cisco Systems VPN Client window opens. 

3. Click Suspend. 

4. Right click the Cisco VPN Client icon in the student PC’s system tray. 

5. Select Disable Auto-initiation. The Cisco Systems VPN Client window opens. 


6. Click Disable. 


Copyright © 2005, Cisco Systems, Inc. Configure the Cisco Virtual Private Network Client Auto-initiation Feature Lab 8-7 


Lab 8-8 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Monitor and Administer the 
Cisco VPN 3000 Series 
Concentrator Remote Access 
Networks 


Overview 


This lesson teaches how to monitor and administer Cisco Virtual Private Network (VPN) 3000 
Series Concentrator remote access networks. It includes the following topics: 


m Bandwidth Management 
= Summary 


m Lab exercise 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
Ra MMMM ~~S!S*S*«SCO.com 


Upon completion of this lesson, you will be able to 
perform the following tasks: 


¢ Configure monitoring for the Cisco VPN 3000 Series 
Concentrator. 


¢ Perform basic administrative tasks such as configuring 
access control, event classes, file management, and the 
AAA server and updating the software on the Cisco VPN 
3000 Series Concentrator. 


¢ Configure bandwidth management. 
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Monitoring 


This topic presents an overview of monitoring. 


Monitor Index 


‘This section of the Manager lets you view VPN 3000 Concentrator status, 
sessions, statistics, and event logs. 


In the left frame, or in the list of inks below, click the function you want: 


Routing Table -- current valid routes and protocols. 
Dynamic Filters -- wew dynamic filters and their dynamic rules. 
Filterable Event Log -- current event log. 

o Live Event Log -- current event log. 
System Status -- current software revisions, uptime, front-panel LEDs, 
network interfaces, SEP modules, and power supplies. 

o Memory Status -- free bytes, used bytes, usage etc. 
Sessions -- all active sessions and "top ten" sessions. 
Statistics -- accounting, address pools, administrative AAA, 
authentication, authorization, bandwidth management, compression, 
DHCP, DNS, events, filtermg, HTTP, IPSec, L2TP, load balancing, 
NAT, PPTP, SSH, SSL, Telnet, VRRP and MIB-I statistics. 


hts reserved. 
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The Concentrator tracks many statistics and the status of many items essential to system 


administration and management. Monitoring enables you to view Concentrator status, sessions, 


statistics, and event logs, including the following: 


= Routing table—Current valid routes, protocols, and metrics 


m Dynamic filters—Current dynamic filters and their associated rules 


m Event logs—Current event log in memory 


m System status—Current software revisions, uptime, system power supplies, Ethernet 


interfaces, front-panel LEDs, and hardware sensors 


m Sessions—Currently active sessions sorted by protocol, Scalable Encryption Processing 
(SEP), and encryption; and top ten sessions sorted by data, duration, and throughput 


m Statistics—Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), 
IPSec, HTTP, events, Telnet, Domain Name System (DNS), authentication, accounting, 
filtering, Virtual Router Redundancy Protocol (VRRP), Secure Sockets Layer (SSL), load 
balancing, and compression; and Management Information Base (MIB)-II objects for 
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interfaces, TCP/UDP, IP, Internet Control Message Protocol (ICMP), and Address 
Resolution Protocol (ARP) 
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Monitor System Status 


Cisco.com 


Refresh® 

‘VPN Concentrator Type: 3005 

Serial Number: 

Bootcode Rev: Cisco Systems, Inc.VPN 3000 Concentrator Series Version 2.5.Rel Jun 21 2000 
18:57:52 
Software Rev: Cisco Systems, Inc./VPN 3000 Concentrator Version 4.0.1.Rel May 06 2003 
13:13:03 
Up For: 0:55:09 
Up Since: 06/16/2003 15:54:19 


RAM Size: 32 MB (Memory Status: Green) 


Hardware Th the back-panel picture below, select and click a module for status details 


Fanl | Fan2 cPU 
0208 BEM 6308 RPM ry 20°C/68°F 


CPU Utilization Active Sessions Throughput 
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The Monitoring>System Status window enables the administrator to view information on both 
the hardware and software. The system status display enables you to view the following: 


= Boot code revision and software revision 
m= Uptime 

m Fan speed 

m RAM size 

m Temperature 

m CPU use 

m Active sessions 


m Aggregate throughput 
The system status display can be used for quick and easy checks of the basic systems operations. 


Besides the Monitoring>System Status window, you can also access and view the hardware and 
software status via the command line interface (CLI) or through Simple Network Management 
Protocol (SNMP). 
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Monitor Interface Statistics 


© 2003, Cisco Systems, Inc. All rights reserved. 


Interface 
IP Address 


Status 
Rx Unicast 


Tx Unicast 


Rx Multicast 
Tx Multicast 


‘Rx Broadcast 


Tx Broadcast 


Cisco.com 
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The Monitor System Status>Interface window enables the administrator to view all Ethernet 
interfaces. Place the mouse cursor over the Ethernet interface and click it to view real-time port 


statistics. The interface statistics displays the following: 


IP address 


Status 


Receive unicast 


Transmit unicast 


Receive multicast 


Transmit multicast 


Receive broadcast 


Transmit broadcast 
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Monitor Power Supply Status 


ee Cisco.com 


[CPU 

25V |2.49V 

2.50V Status |OK 
3.3V 


3.3V Status 
5V 
SV Status 


© 2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—9-7 


The Monitor System Status>Power window enables the administrator to view all power 
supplies. Place the mouse cursor over the power supply and click it to view real-time statistics. 
By doing this, you can also view the Concentrator’s power supply status. The power supply 
status indicates the following: 

m One or both power supplies, voltages, and status 


m Main board voltages and status 


m= CPU voltages and status 


Note Most of these items are available through CLI and SNMP monitoring. 
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9-8 


Monitor Routing Table 
ey | Cisco.com 


Clear Routes 


Valid Routes: 3 


| Address | Mask —_| Next Hop Interface Protocol Age Metric 
| 0.0.00 [0.0.0.0 192,168.11 [2 Defautt [0 [1 
[ 100.10 [255.255.255.00000 [1 Local [0 [1 
[192.168.1.0 (255.255.255.0(0.000 [2 Locd [0 [1 
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The Monitoring>Routing Table window enables an administrator to view the Concentrator’s 
routing table. The IP routing subsystem examines the destination IP address of packets coming 
through the Concentrator and forwards or drops them according to the routing table. 


The table includes all routes that the IP routing subsystem knows about, from whatever source: 
static routes learned via IP and Open Shortest Path First (OSPF) routing protocols, interface 
addresses, and so on. The Monitoring>Routing Table window enables you to view the 
following: 

m Valid routes 

m Addresses and masks 


m The next hop 


= Interface 


m= Protocol 

m Age 

m Metric 

Note This information is available through the CLI also. 
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Monitor General Statistics 
Dy Cisco.com 


This section shows statistics for VPN 3000 Concentrator tunneled sessions, traffic, connection activity, and standard MIB-II objects. 


In the left frame, or in the list of links below, click the statistics you want to view: 


Load Balancing 
width Management NAT 
Compression PRTE 
DHCP 


Events Telnet 
Filtering VRRP 
MIB-II -- interfaces, TCP/UDP, IP, RIP, OSPF, ICMP, ARP table, 
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The Monitoring>Statistics window displays statistics for traffic and activity on the Concentrator 
since it was last booted or reset. The following can be monitored: 


m PPTP—Total tunnels, sessions, received and transmitted control, data packets, and detailed 
current session data 


m= L2TP—Total tunnels, sessions, received and transmitted control, data packets, and detailed 
current session data 


m IPSec—Tunnels, received and transmitted packets, and session details 

m= HTTP—Total data traffic and connection statistics 

m Events—Total events sorted by class, number, and count 

= Telnet—Total sessions, and current session inbound and outbound traffic 

= DNS—Total requests, responses, timeouts, and so on 

m Authentication—Total requests, accepts, rejects, challenges, timeouts, and so on 
m Accounting—Total requests, responses, timeouts, and so on 

m= = Filtering—Total inbound and outbound filtered traffic by the interface 


m= VRRP—Total advertisements, master router roles, errors, and so on 
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m SSL—Sessions, and encrypted versus decrypted traffic 

m= DHCP—Leases and durations 

m Address Pools—Configured pools and allocated addresses 

m= SSH—Sessions, inbound and outbound 

m Load Balancing—Load, state, peers, and so on 

= Compression—Precompressed, postcompressed, ratios, and so on 

m Administrative AAARequests, accepts, rejects, challenges, timeouts, and so on 
m NAT—Sessions, inbound and outbound packets, and so on 


= MIB-II Stats—Interfaces, TCP and UDP, IP, ICMP, and ARP 
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IEE (Phase 1) St: 


Monitor Statistics IPSec 
ae Cisco.com 


IPSce Phase 2} Statistics 


Active Tunnels 
Total Tunnels 


Active Tunnels 
Total Tunnels 


Received Bytes 
Sent Bytes 
Received Packets 
Sent Packets 
Received Packets Drupped 


Received Bytes 
Sent Bytes 
Received Packets 
Sent Packets 
Received Packets Drupped 


Sent Packets Dropped 
Received Notifies 
Sent Notifies 
Received Phase-2 Exchanges 
Sent Phase-2 Exchanges 


Received Packets Dropped (Anti-Replay) 
Sent Packets Dropped 
Inbound Authentications 
Failed Inbound Authentications 
Outbound Authentications 


Invalid Phase-2 Exchanges Received 
Invalid Phase-2 Exchanges Sent 


Failed Outbound Authentications 
Decryptions 


[Rejected Received Phase-2 Exchanges 
Rejected Sent Phase-2 Exchanges 
[Phace-? SA Delete Reqnecte Received 


vi ol ololofo}myja)s)o}e)e 


Failed Decryptions 
Encryptions 
Failed Eneryptione 


| Phase-2 SA Delete Requests Sent 
Initiated Tunnels 


System Capability Failures 
No-SA Failures 


Failed Initiated Tunnels 
Failed Remote Tumels 
Authentication Failures 
Decryption Failures 
Hash Validation Failures 


System Capability Failures 
No-SA Failures 


e/olojole|o ojolo 


Protocol Use Failures 
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The Monitoring>Statistics>IPSec window displays statistics for IPSec activity, including 
Internet Key Exchange (IKE) and IPSec statistics. 
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Monitor Sessions 
MMMM ~SCOS*#é«SCsco.com— 


Reset ¢ Refresh@ 


This screen shows statistics for sessions. To refresh the statistics, click Refresh. Select a Group to filter the sessions. For more information on a session, 
click on that session's name. 


Grow |-Al- > 


Session Summary 


Total Active 
Sessions 


Peak Concurrent 
Sessions 


Concurrent 
Sessions Limit 


Total Cumulative 
Sessions 


Active LAN-to-LAN| Active Remote | Active Management 
Sessions Access Sessions Sessions 


fy 1 1 2 4 [ 100 a 


LAN-to-LAN Sessions 


Connection Name 


[Remote Aco sions | Management Sessions ] 


Bytes Tx 


IP Adaress Protocol Encryption Login Time | Duration 


No LAN-to-LAN Sessions 


Bytes Rx 


[LAN-to-LAN Sessions | Management Sessions ] 


Bytes Tx 
Bytes Rx 


Remote Access Sessions 


Protocol 
Encryption 
10.0.1.70 IPSec 
192,168.16 3DES-168 


Login Time 
Duration 
Jul 29: 15:14:19 
0:00:18 


Client Type 
Version 


Assigned IP Address 


Username Public IP Address 


WinNT 37928 


studentl 36 Beta_2) 32304 


Management Sessions [LAN-to-LAN Sessions | Remote Access Sessions ] 
‘Administrator 


admin i None 


Duration 
(0:00:05 


Encryption | Login Time 
rut 29 14:14:33 
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The Monitoring>Sessions window displays comprehensive data for currently active user and 
administrator sessions on the Concentrator. The following session information is available: 


m Refresh button—Click Refresh to update the window and its session information. The date 
and time indicate when the window was last updated. 


m Session Summary table—Shows summary totals for LAN-to-LAN, remote access, and 
management sessions. 


m LAN-to-LAN Sessions table—Shows parameters and statistics for all active IPSec LAN-to- 
LAN sessions. Each session identifies only the outer LAN-to-LAN connection or tunnel, not 
individual host-to-host sessions within the tunnel. 


m Remote Access Sessions table—Shows parameters and statistics for all active, remote-access 
sessions. Each session is a single-user connection from a remote client to the Concentrator. 


m Management Sessions table—Shows parameters and statistics for all active administrator 
management sessions on the Concentrator. 
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Monitor Sessions—Protocols 
a ae, Cisco.com 


Grow [-All- ~ 


Active Sessions: 2 
Total Sessions: 37 
Protocol Sessions MEME MEME Percentage 
0.0% 
0.0% 
00% 
50.0% 
50.0% 
0.0% 
0.0% 
[SNMP 00% 
\TFTP [ 00% 
{Console [ [00% 
Debug/Telnet 0.0% 
Debug/Console 0.0% 
L2TPAPSee {00% 
IPSec/LAN-to-LAN [00% 
IPSec/UDP [ 0.0% 
|ssH h 0.0% 
‘VCAMPSec 0.0% 
IPSec/TCP 00% 
[PSec(NAT-T 
IPSec/LAN-to-LAN/NAT-T 
L2TP/IPSec/NAT-T 
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The Monitoring>Sessions>Protocols window displays the protocols used by the active user. The 
following information is available: 


m Refresh button—Click Refresh to update the window and its session information. The date 
and time indicate when the window was last updated. 


m Active Sessions—The number of currently active sessions. 


= Total Sessions—tThe total number of sessions since the Concentrator was last booted or 
reset. 


@ Protocol column—The protocol that the session is using. 


m Sessions column—tThe number of active sessions using this protocol. The sum of this 
column equals the total number of active sessions listed in the top left part of the window. 


m Bar graph column—tThe percentage of sessions using this protocol, relative to the total 
active sessions, as a horizontal bar graph. Each segment of the bar in the column heading 


represents 25 percent. 


m Percentage column—The percentage of sessions using this protocol relative to the total 
active sessions, as a number. The sum of this column equals 100%. 
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Monitor Events 
a MMMM ~SCOS*é“‘«‘«*é‘“ CS COWCOM 


Savel; 


This section of the Manager lets you configure how the VPN 3000 Concentrator Series handles events: alarms, traps, error 
conditions, status changes, etc. 


Tn the left frame, or in the list of links below, chick the option you want to configure: 


e General -- general (default) event handling, 
e FTP Backup -- FTP backup of event log files. 
Classes -- special handling of specific event classes. 
Trap Destinations -- SNMP trap message destinations. 
Syslog Servers -- UNIX syslog message servers. 
SMTP Servers -- SMTP servers for event notification. 
Email Recipients -- recipients for event notification via email. 
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The Configuration>System>Events window enables you to configure how the Concentrator 
handles events. Events provide information for system monitoring, auditing, management, 
accounting, and troubleshooting. 
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Configure System Events 
ey | Cisco.com 


This section lets you configure default event handling, 


Save Log on Wrap [~ Check to save the event log to a file on wrap. 


Save Log Format | Multiline Ea Select the format of the saved log files 
FTP Saved Log on 
Wrap 


Email Source Address _ Enter the email address that appears in the From: field. 
Syslog Format ce | Select the format of Syslog messages. 
Severity to Log fis = Select the range of severity values to enter in the log. 
Severity to Console fis Select the range of severity values to display on the console 
Severity to Syslog [None ¥] Select the range of severity values to send to a Syslog server. 


i F Select the range of severity values to send via email to the 
Severity to Email | None | recipient list, 


Check to automatically FTP the saved log to a remote destination. 


Severity to Trap | None | Select the range of severity values to send to an SNMP system. 


Apply Cancel | 
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The Configuration>System>Events>General window enables you to configure the default, or 
general, handling of all events. These defaults apply to all event classes. The following options 
can be configured in this window: 


m Save Log on Wrap check box—Select this check box to automatically save the event log 
when it is full. (The check box is deselected by default.) The event log holds 2048 entries. 
When the log is full, the entries wrap; that is, entry 2049 overwrites entry 1, and so on. 


m Save Log Format drop-down menu—Click the drop-down menu button to choose the format 
of the saved log files. 


m FTP Saved Log on Wrap check box—Select this check box to automatically send the saved 
event log file, when it wraps, via FTP to a remote computer. 


m Email Source Address field—Enter the address to put in the From: field of an e-mailed 
event message. 


m Syslog Format drop-down menu—Click the drop-down menu button and choose the format 
for all events sent to UNIX Syslog servers. 


m Severity to Log drop-down menu—Click the drop-down menu to select the range of severity 
value to enter on the log. The default is 1-5, which means that all events of severity level | 
through severity level 5 are entered in the event log. 


m Severity to Console drop-down menu—Click the drop-down menu to select the range of 
severity value to display on the console. The default is 1-3, which means that all events of 
severity level 1 through severity level 3 are displayed on the console. 
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m Severity to Syslog drop-down menu—Click the drop-down menu button and choose the 
range of event severity levels to send to a Syslog server. By default, no events are sent. 


m Severity to Email drop-down menu—Click the drop-down menu button and choose the 
range of event severity levels for e-mail to recipients. 


m Severity to Trap drop-down menu—Click the drop-down menu button and choose the range 
of event severity levels to send to an SNMP network management system. 
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Monitor Live Event Log 
ae | Cisco.com 


110 02/08/2002 08:44:11.200 SEV=4 IKE/120 RPT=43 192.168.1.6 
Group [service] User [student2] 
PHASE 2 COMPLETED [msgid=482de2ce) 


111 02/08/2002 08:44:11.200 SEV=4 AUTOUPDATE/19 RPT=16 
Sending IKE Notify: AutoUpdating clients in group [service] 
Client delay: 0, instID: OOOOO3FE 


113 02/08/2002 08:44:11.270 SEV=4 IKE/49 RPT=44 192.168.1.6 
Group [service] User [student2] 

Security negotiation complete for LIser (student?) 

Responder, Inbound SPI = 0x71b3406b, Outbound SPI = 0x085teef1 


116 02/08/2002 08:44:11.270 SEV=4 IKE/120 RPT=44 192.168.1.6 
Group [service] User [student2] 
PHASE 2 COMPLETED (msgid=b525d793) 


117 02/08/2002 08:45:31.130 SEV=5 AUTH/36 RPT=37 
User [ admin ] Protocol [ HTTP ] attempted ADMIN logon. 
Status: <ACCESS GRANTED> ! 


119 02/08/2002 08:45:31.130 SEV=4 AUTH/22 RPT=58 
User admin connected 


120 02/08/2002 08:45:31.130 SEV=4 HTTP/47 RPT=33 10.0.1.12 
New administrator login: admin. 


Pause Display | Clear Display | Restart | 5 


Warning: This session will not time out. 
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The Monitoring>Live Event Log window displays events in the current event log and 
automatically updates the display every five seconds. The events might take a few seconds to 
load when you first open the window. The window always displays the most recent event at the 
bottom. Use the scroll bar to view earlier events. To filter and display events by various criteria, 
choose the Monitoring>Filterable Event Log window. If you keep this Concentrator Manager 
window open, your administrative session does not time out. Each automatic window update 
resets the inactivity timer. The buttons at the bottom of the Live Event Log window are as 
follows: 


m Pause Display—To pause the display, click Pause Display. While paused, the window does 
not display new events, the button changes to Resume display, and the timer counts down to 
0 and stops. You can still scroll through the event log. 


m Resume Display button—After you have clicked the Pause Display button, the button 
changes to Resume display, and the timer counts down to 0 and stops. Click Resume to 
resume the display of new events and restart the timer. 


m™ Clear Display button—To clear the event display, click Clear Display. This action does not 
clear the event log; it only clears the display of events on this window. 


m= Restart button—To clear the event display and reload the entire event log in the display, 
click Restart. This action does not clear the event log; it only clears the display of events on 
this window. 


m= Timer—tThe timer counts 5, 4, 3,2, and 1 to show where it is in the 5-second refresh cycle. 
The Receiving message at the bottom of the Live Event Log window indicates receipt of 
new events. A steady 0 indicates the display has been paused. 
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The live event log requires Microsoft Internet Explorer release 4.0 or higher, or Netscape 
versions 4.5-4.7 or 6.0. 
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Monitor Event Log 


Cisco.com 


Select Filter Options 
Event Class All Classes fon 
AUTH — 


AUTHDBG 
AUTHDECODE 


Client IP Address |0.0.0.0 Events/Page |100 + 
Group —Al— = Direction Oldest to Newest > 


etd | et | ee) er] Getto | Savelog| Clearloa | 


1 04/12/2001 13:35:05.820 SEV=3 AUTH/5 RPT=1 192.168.1. 
Authentication rejected: Reason = User was not found 
handle = 1, server = Internal, user = studentS5, domain = <not specified> 


3 04/12/2001 13:35:14.850 SEV=4 IKE/52 RPT=1 192.168.1. 
Group [training] User [studenti] 
User (student1) authenticated. 


4 04/12/2001 13:35:15.870 SEV=4 AUTH/21 RPT=7 
User studenti connected 


5 04/12/2001 13:35:15.070 SEV—4 IKE/119 RPT—1 192.160.1.6 
Group [training] User [student1] 
PHASE 1 COMPLETED 


6 04/12/2001 13:35:15.870 SEV=5 IKE/25 RPT=1 192.168.1.6 
Group [training] User [student1] 

Received remote Proxy Host data in Ib Payload: 

Address 10.0.1.30, Protocol 0, Port 0 


9 04/12/2001 13:35:15.870 SEV=5 IKE/24 RPT=1 192.168.1.6 
Group [training] User [studenti] 

Received local Proxy Host data in ID Payload: 

Address 192.168.1.5, Protocol 0, Port 0 
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The Monitoring>Filterable Event Log window enables graphical user interface (GUD) access for 
viewing events in the current event log. The log holds up to 2048 events and wraps when full. 
The ability to manage the event log file is also provided. The administrator can select any or all 
of the following four options for filtering and displaying the event log: 


m Event Class drop-down menu—Click the drop-down menu button and choose the event 
class to display all the events in a single event class. 


m Severities drop-down menu—Click the drop-down menu button and choose the severity 
level to display all the events of a single severity level. 


m Client IP Address field—Displays all the events relating to a single IP address. The specific 
IP address is entered manually. 


m Events/Page drop-down menu—Click the drop-down menu button and select the number to 
display a given number of events per manager screen (page). 


After selecting the options, click any one of the four Page buttons to retrieve events. 


The event log can be retrieved from the Concentrator via the following: 


m= Telnet 
m FTP 
m= HTTP 
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Configure Event Classes 
ey | Cisco.com 


This section lets you configure special handling of specific event classes. 
Click the Add button to add an event class, or select an event class and click Modify or Delete. 


Click here to configure general event parameters 


Configured 
Event Classes Actions 
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The Configuration>System>Events>Classes window enables you to add, configure, modify, and 
delete specific event classes for special handling. You can override the general or default 
handling of event classes. This is good for debugging special cases, such as problems with IPSec 
client-to-LAN handshaking because it allows you to look at all alarms, not just high-level 
alarms. 


For example, a remote client is not able to connect to the Concentrator using digital certificates. 
The administrator looks at the filterable event log and notices that the remote client’s digital 
certificate is invalid. With the event level set at the default of 1—5, the log tells the administrator 
there is a problem, but it does not give the administrator enough information. For that, the 
administrator needs information contained in event messages level 7-13, debug and engineering 
messages. With the IKEDECODE event modified to include levels 1-13, the administrator is 
able to look at the received digital certificate. From this information, the administrator 
ascertained that the remote client’s digital certificate organizational unit OU field is set for 
Training while the Concentrator is expecting a value of training (lowercase “t’”). The 
Configuration>System>Events>Classes window enables the administrator is set specific events 
at lower levels in order to aid in the troubleshooting of a problem. When the issue is resolved, 
the increased event level can be disabled and returned to the default level value of 1-5. 
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Modify Classes 
ay Cisco.com 


This screen lets you add and configure an event class for special handling. 


Class Name x Select the event class to configure. 
Check to enable special handling of this 
class 


_ 
—_—_ Enable ¥ 


Tf one of the following values has been set to Use Hvent List, the Event List can be 
seen by viewing Configuration | System | Events | General. 


Changing a value set to Use Event List will override the sections of the Event List 
referring to this event class. 


Events to Log | Severities 1-5 Select the events to enter in the log. 
Events to [Seventies 1-3 ZI Select the events to display on the 
Console console 
Events to Select the events to send to a Syslog 
None ba 
Syslog Server. 
Events to Select the events to send to an Email 


 |N 2 
Email !~°"" Recipient. 


Events to Trap [None] Select the events to send to an SNMP 


Trap Destination. 
ces 
ed. 
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In the Configuration>System>Events>Classes>Add window, there are three things an 
administrator needs to do: 


m= Select the event class to configure for special handling. 
m Enable or disable special handling of this event. 


m Select the range of severity levels. 


The event class handling parameters are as follows: 


m Events to Log —Click the Events to Log drop-down menu button and choose the range of 
event severity levels to enter in the event log. 


m Events to Console—Click the Events to Console drop-down menu button and choose the 
range of event severity levels to display on the console. 


m Events to Syslog—Click the Events to Syslog drop-down menu button and choose the range 
of event severity levels to send to a Syslog server. The default is None. Using the default 
means that no events are sent to a Syslog server. 


m Events to Email—Click the Events to Email drop-down menu button and choose the range 
of event severity levels to send to recipients via e-mail. If you select any event severity 
levels to e-mail, you must also configure an Simple Mail Transfer Protocol (SMTP) server 
on the Configuration>System>Events>SMTP Servers window, and you must configure 
e-mail recipients on the Configuration>System>Events>E-mail Recipients window. You 
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should also configure the e-mail source address on the Configuration>System>Events> 
General window. 


m Events to Trap—Click the Events to Trap drop-down menu button and choose the range of 
event severity levels to send to an SNMP network management system. If you select any 
event severity levels to send, you must also configure SNMP destination system parameters 
on the Configuration>System>Events>Trap Destinations window. 
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Administration 


This topic covers how to configure and perform basic administration on the Cisco VPN 3000 
Series Concentrator. 


Administration Index 
eee Cisco.com 


dminist 


Savel) 


This section of the Manager lets you control VPN 3000 Concentrator 
administrative functions. 


Tn the left frame, or in the list of inks below, click the function you want: 


Administer Sessions -- statistics and logout for all sessions. 

Software Update -- update concentrator and client software. 

System Reboot -- system reboot options. 

Reboot Status -- active sessions, disconnected sessions, etc. 

Ping -- use ICMP ping to determine connectivity. 

Monitoring Refresh -- enable automatic refresh of Monitoring screens. 
Access Rights -- configure administrator profiles, access, and sessions. 
File Management -- view, save, delete, swap, and transfer files. 
Certificate Management -- install and manage digital certificates. 
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The Administration window in the Manager enables you to control administrative functions on 
the Concentrator. The following functions are available: 


m Administer Sessions—View statistics for logout, and ping sessions. 


m= Software Update—Upload and update the Concentrator software image, and upload and 
update the VPN Client software image. 


m System Reboot—Set options for the Concentrator shutdown and reboot. 
= Reboot Status—Display information about system reboots. 
m Ping—Use ICMP ping to determine connectivity. 


= Monitoring Refresh—Enable an automatic refresh of status and statistics in the monitoring 
section of the Manager. 


m Access Rights—The Administrator can customize user profiles, access control lists (ACLs), 
and administration session parameters: 
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— ACL—Configure IP addresses for workstations with access rights. 
—  Administrators—Configure administrator usernames, passwords, and rights. 
— Access settings—Set the administrative session idle timeout and limits. 


m File Management—Configuration, event log, and certificate request files are stored in Flash 
memory. File Management enables the administrator to manage these files in Flash memory: 


—  Files—Copy, view, and delete system files. 

— Swap Configuration Files—Swap backup and boot configuration files. 
— TFTP transfer—Transfer files to and from the Concentrator. 

— File upload—Transfer files to the Concentrator. 


m Certificate Management—Install and manage digital certificates. The following Certificate 
Management submenu items are available: 


— Enrollment—Create a certificate request to send to a Certificate Authority (CA). 
—  Installation—Install digital certificates. 


— Certificates—View, modify, and delete digital certificates. 
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Administrators 
aa Cisco.com 


This section presents administrator users. Any changes you make take effect immediately. 


Group 


Username Properties Administrator Enabled 
Number 


fadminst—i“‘éSSCO!#C#‘OMOOOlify @ rd 
[config ~~ Modify r 
isp Modify n 
mis Modify Tc 
fuer ~~~. Modify 

Apply Cancel 


Administrators are special users who can access and change the configuration, administration, 

and monitoring functions on the Concentrator. Only administrators can use the Concentrator 

Manager. Cisco provides five predefined administrators: 

m= Admin—System administrator with access to, and the rights to change, all areas. This is the 
only administrator enabled by default (this is the only administrator who can log into, and 
use the Concentrator Manager as supplied by Cisco). 

= Config—Configuration administrator with all rights except SNMP access. 


m= [SP—Internet Service Provider administrator with limited general configuration rights. 


m= MIS—Management Information Systems administrator with the same rights as the 
configuration administrator. 


m User—Users have limited rights. They have view and read privileges only. 


Copyright © 2005, Cisco Systems, Inc. Monitor and Administer the Cisco VPN 3000 Series Concentrator Remote Access Networks 9-25 


Administration—Access Rights 
MMMM ~~SSS*S*«CSCOWCOM 


This section lets you modify the properties for administrators. Any changes you make take effect immediately 


Username |admin 
Password |“ A password is required 


Verify The password must be verified. 
Access Rights 


Authentication | Modify Config » 


General | Modify Config 
SNMP | Modify Config » 


Files | Read/Write Files | Includes Configuration Files 


AAA Access bo Select the Privilege Level for this administrator. An admumustrator logging in using 


Level 


Apply Default Cancel 


AAA will need to have a Privilege Level equal to one of the administrators. 
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The Administration>Access Rights window enables the administrator to configure access to and 
rights in the Concentrator Manager functional areas (Authentication or General), or via SNMP. 
Click the Authentication, General, and SNMP drop-down menus and choose from the 
following access rights: 


m None—No access or rights. 


m Stats Only—Access to only the Monitoring section of the Concentrator Manager. No rights 
to change parameters. 


m View Config—Access to permitted functional areas of the Concentrator Manager, but no 
rights to change parameters. 


= Modify Config—Access to permitted functional areas of the Concentrator Manager, and 
rights to change parameters. 


Click the Files drop-down menu and choose from the following access rights: 
m None—No file access or management rights. 

m List Files—See a list of files in the Concentrator Flash memory. 

m Read Files—Read (view) files in Flash memory. 


m Read/Write Files—Read and write files in Flash memory, clear or save the event log, and 
save the active configuration to a file. 
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The Authentication, Authorization, and Accounting (AAA) Access Level drop-down menu 
enables you to govern the level of access for administrators authenticated by a Terminal Access 
Controller Access Control System (TACACS+) server. You set this AAA access level parameter 
to one of the levels configured on the TACACS+ server. 
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TACACS+ Authentication and 


Authorization Process 
ay, | Cisco.com 


TACACS+ 
server 


Username + password 
Authentication : 


Pass or fail 


Privilege level 1 i 


Modify configuration + read/write files 
ee 


In Release 3 and higher of the Concentrator, the Concentrator or a Terminal Access Controller 
Access Control System (TACACS+) server can authenticate an administrator trying to access 
the web interface of the Concentrator. In the example in the figure, a user tries to access the web 
interface of the Concentrator. They are prompted for a username and password. With TACACS+ 
enabled, the Concentrator forwards the username and password to the TACACS+ server. The 
server returns a pass or fail authentication message. If a pass message is returned, the 
Concentrator requests a level of authorization. The server searches the database for the level 
associated with that user, in this case a number 1. The server sends an authorization level of 1 
back to the Concentrator. The Concentrator searches its access rights database to see which 
group is assigned an AAA access level of 1. In this case, the admin group is configured as a 1. 
The user is granted whatever access rights are defined under admin group. 


Note If TACACS + fails, the only way to get back in is via the console port using CLI. 
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TACACS+ Server Configuration 
ay Cisco.com 


Configure and add a TACACS+ administrator authentication server. 


Authentication Server |10.0.1.10 Enter IP address or hostname. 


Server Port |0 Enter the server TCP port number (0 for default). 
Timeout |4 Enter the timeout for this server (seconds). 
Retries |2 Enter the number of retries for this server. 


Server Secret |“ Enter the server secret. 


Verify |“ Re-enter the server secret. 
Add Cancel 


The Administration>Access Rights>AAA Servers>Authentication window enables the 
administrator to add or modify TACACS+ servers: 


= Authentication Server field—Enter the IP address or hostname of the AAA authentication 
server. 


m Server Port field—Enter the TCP port number by which you access the server. 


m= Timeout field—Enter the time in seconds to wait after sending a query to the server and 
receiving no response, before trying again. 


m™ Retries field—Enter the number of times to retry sending a query to the server after the 
timeout period. If there is still no response after this number of retries, the Concentrator 


declares this server inoperative and uses the next TACACS+ authentication server in the list. 


m Server Secret field—Enter the TACACS+ server secret key (also called the shared secret) 
(for example, C8z077f). 


m Verify field—Re-enter the TACACS+ server secret key to verify it. The field shows only 
asterisks. 
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AAA Servers 


Cisco.com 


This section lets you configure parameters for TACACS+ administrator authentication servers. 
Be sure that any servers you reference are properly configured. 
Click the Add button to add a server, or select a server and click Modify, Delete, Move, or Test 
Authentication 
Servers Actions 
10.0.1.10 Add 
Modify | 
Delete | 
Move Up | 
Move Down | 
Ea — 


CSVPN 4.0—9-25 


The Administration>Access Rights>AAA Servers>Authentication window displays the 
configured TACACS-+ servers in priority order. It is very important that you test the 
communications between the Concentrator and the TACACS+ server. If you log out of the 
Concentrator and communications do not exist between the Concentrator and the TACACS+ 
server, you are locked out of the GUI. To test the communications, click Test. 
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Test AAA Server Communications 


Cisco.com 


Enter a username and password with which to test. Please wait for the operation to complete or timeout. 


User Name |studentl 


An error has occurred while attempting to perform the operation. 


Authentication Error: No active server found 


Retry the operation or Goto main menu 
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When the test window opens, enter your username and password. Click OK. After a short delay, 
the Concentrator returns an authenticated window. It is now safe to log out of the Concentrator 
and log back in using your TACAS+ login username and password. However, if the 
Authentication Error window opens, do not log out of the Concentrator. If you do, you are 
locked out of the GUI. The only way to access the GUI again is to fix the communication 
problem or turn off AAA in the Concentrator via the CLI. 
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9-32 


Cisco.com 


Savel,] 


This section presents administrator access control list options. Only those IP 
addresses listed will have access to manage this VPN 3000 Concentrator. IFno 
addresses are listed, then anybody with the proper username/password 
combination can access this VPN 3000 Concentrator. If you do not add your 
IP address to the list first, you will be unable to access this VPN 3000 
Concentrator. 


Manager 
Workstations Actions 


—Empty — 
S Add 


Modify 
Delete 
Move Up 
Move Down 


2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—9-27 


The Administration>Access Rights>Access Control List window enables you to configure the 
systems (workstations) that are allowed to access the Concentrator Manager. For example, you 
might want to allow access only from one or two PCs that are in a locked room. If no systems 
are listed, then anyone who knows the Concentrator IP address and the administrator username 
and password combination can gain access. 
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ACL—Add 


a Cisco.com 


Add a manager address to the access list. 


IP Address 


[os5.255.055.055 The mask specifies the part of the address to match. Use 255.255.255.255 to 
iE, Mhasie (7 lesb cobicobieb match the whole address. Use 0.0.0.0 to match any address. 


© Group 1 (admin) 
© Group 2 (config) 
© Group 3 (isp) 

© Group 4 (mis) 

© Group 5 
(student1) 

© No Access 


Add Cancel 
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The Administration>Access Rights>Access Control List>Add window enables you to add a PC 
to the ACL. Each PC requires an IP address and a subnet mask. To add a PC to the ACL, you 
must enter information in the following fields: 


m IP Address field—Enter the IP address of the workstation in dotted decimal notation (for 
example, 10.10.1.35). 


m IP Mask field—Enter the mask for the IP address in dotted decimal notation. This mask 
enables you to restrict access to a single IP address, a range of addresses, or all addresses. 
Enter 255.255.255.255 (the default) to restrict access to a single IP address. Enter 0.0.0.0 to 
allow all IP addresses. Enter the appropriate mask to allow a range of IP addresses. 


Each individual PC is assigned to an access group or denied access. Click the appropriate radio 
button from the Access Group radio buttons to assign the rights of an administrator group to this 


IP address. The default is Group | (admin). You can assign only one group, or you can specify 
no access. 
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Access Settings 
MMMM ~SSS*S*«SCOWcom 


This section presents General Access options. 


Session Idle [500 (seconds) Enter the administrative session idle timeout. Limit 


is 1800 seconds 
Session Limit |10 Enter the maximum number of administrative sessions. 


@ RC4 
© None Select configuration file encryption. 
© DES 


Apply | Cancel 


Timeout 


Config File 
Encryption 


The Administration>Access Rights>Access Settings window enables an administrator to 
customize the Concentrator web access sessions. The following access settings can be 
configured in the Access Settings window: 


m Session Idle Timeout field—Enter the timeout period in seconds for administrative sessions. 
If there is no activity for this period, the Concentrator Manager session terminates. The 
default is 600 seconds, and there is no maximum limit. 


= Session Limit field—Enter the maximum number of simultaneous administrative sessions 
allowed. The default is 10, and there is no limit. 


m Config File Encryption radio button—To encrypt sensitive entries in the configuration file, 
such as passwords and keys, select either the RC4 or DES radio button. Select the None 
radio button to use clear text for all configuration file entries. For maximum security, it is 
recommended that you do not use the None option. 
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Administration Sessions 


ae Cisco.com 


Reset @ Refresh@ 


This screen shows statistics for sessions. To refresh the statistics, click Refresh. Select a Group to filter the sessions. For more information on a session, 
click on that session's name. To log out a session, click Logout in the table below. To test the network connection to session, click Ping. 


Grow [=Al- a 
Logout All: PPTP User|L2TP User| IPSec User| IPSec LAN-to-LAN 


Session Summary 


Active LAN-to-LAN | Active Remote Active Management | Total Active | Peak Concurrent Concurrent Total Cumulative 
Sessions Access Sessions Sessions Sessions Sessions Sessions Limit Sessions 


fy 1 1 | 2 4 100 a 


LAN-to-LAN Sessions [Remote Access Sessions | Management Sessions ] 


Connection Name TP Address | Protocol | Encryption | LoginTime | Duration | BytesTx | BytesRx | Actions 
No LAN-to-LAN Sessions 


Remote Access Sessions [LAN-to-LAN Sessions | Management Sessions ] 
fee Assigned IP Address a Protocol Login Time | Client Type | Bytes Tx 


Public IP Address Encryption Duration Version Bytes Rx potions 


10.0.1.70 IPSec Tul 29 15:14:19 WinNT 258736 
student! 0641 


192,168.16 SDES-168 36 Beta_2) 179752 (Lanting) 


Management Sessions [LAN-to- LAN Secsione| Remote Access Sessions ] 


Administrator IP Address Protocol Encryption Login Time | Duration Actions 
admin 10.0.1.70 HTTP None Jul 29 14:14:33 |o.05:57 |[_Logout | Ping] 
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The Administration>Administer Sessions window provides the following information: 


m Session Summary table—Shows the summary totals for LAN-to-LAN, remote access, and 
management sessions. 


m LAN-to-LAN Sessions table—Shows parameters and statistics for all active IPSec LAN-to- 
LAN sessions. Each session in this table identifies only the outer LAN-to-LAN connection 
or tunnel, not individual host-to-host sessions within the tunnel. 


m Remote Access Sessions table—Shows parameters and statistics for all active remote-access 
sessions. Each session is a single-user connection from a remote client to the Concentrator. 


m Management Sessions table—Shows parameters and statistics for all active administrator 
management sessions on the Concentrator. If there are multiple concurrent management 
sessions running, the first session has read and write capabilities. Each additional 
management session has read capabilities only. The additional users can view configuration 
screens but are unable to affect any changes. 
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File Management—Files 


Refresh® 


This screen lets you manage files on the VPN 3000 Concentrator. Select a file from the list and click the appropriate 
Action, or choose an action from the list below. 


Swap Config File -- swap the backup and boot configuration files. 
TFTP Transfer -- transfer files via TFTP 

File Upload -- send a file via HTTP 

2OML Export -- export the configuration to an XML file 


Total: 12368KB, Used: 322KB, Free: 12046KB 
Filename Size (bytes) Date/Time Actions 
CL2LBOS 34577 |10/25/2001 11:32:12 |[ View| Delete | Copy] 
CONFIG.BAK 21444 |01/23/2002 14:15:00 I View | Delete | Copy ] 
CONFIG 21676 |01/25/2002 08:08:48 [[ View| Delete | Copy] 
CRSHDUMP.TXT 19223 12/07/2000 12:11:00 [[ View Detete | Copy] 
SAVELOG.TXT 155304 |01/23/2002 13:58:54 [[ View] Delete | Copy] 


The Administration>File Management window enables you to manage files in the Concentrator 
Flash memory. From the top section of the window, management actions available to the 
administrator are as follows: 


m= Swap Config File link—Enables you to swap the backup and boot configuration files. 


m TFTP Transfer link—Enables you to transfer files to and from the Concentrator via Trivial 
File Transport Protocol (TFTP). 


m File Upload link—Enables you to use HTTP to transfer files from your PC to the 
Concentrator Flash memory. 


m= XML Export link—Exports the configuration to an XML file stored on the Concentrator. 


The bottom of the window shows a table listing all files in the Flash memory—one file per table 
row. Such files include CONFIG, CONFIG.BAK, SAVELOG.TXT, and CRSHDUMP. TXT, 
and copies of the files that you have saved under different names such as CL2LBOS. The 
following file information is available: 


m Filename column—tThe name of the file in Flash memory. The Concentrator stores 
filenames as uppercase names in the <8.3 naming convention. 


m Size (bytes) column—The size of the file in bytes. 


= Date/Time column—tThe date and time the file was created. The format is MM/DD/YY 
HH:MM:5SS, with time in 24-hour notation. 
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= Actions column—For a selected file, click the desired action link. The actions available to 
you depend on your access rights to files: 


— View—Click View to view the selected file. The Manager opens a new browser window 
to display the file. 


— Delete—Click Delete to delete the selected file from Flash memory. 


— Copy—Click Copy to copy a selected file within Flash memory. 
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Swap Configuration 


Cisco.com 


Save the Configuration Config.bak 
configuration (boot) (backup) 


Swap the configuration 


NUL!” 


Administration | File Management | Swap Configuration Files 


Every time the active configuration is saved, a backup is made of the configuration file. By clicking OK, you can swap 
the backup configuration file with the boot configuration. To reload the boot configuration, you must then reboot the 
device. You will be sent to the System Reboot screen after the configuration files have heen swapped. 


OK | Cancel | 
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The Administration>File Management>Swap Configuration Files window enables you to swap 
the boot configuration file with the backup configuration file. Every time you save the active 
configuration, the system writes it to the configuration file, which is the boot configuration file. 
It also saves the previous configuration file as config.bak, the backup configuration file. You 
must reboot the system to reload the boot configuration file and make it the active configuration. 
Click the highlighted reboot the device link to choose the Administration>System Reboot 
window and reboot the system. 
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Reboot 
a Cisco.com 


This section presents reboot options 


a reboot, the browser may appear to hang as the device is rcbooted. 


Reboot 
Shutdown without automatic reboot 
Cancel a scheduled reboot/shutdown 


Save the active configuration at time of reboot 
Configuration Reboot without saving the active configuration 
Reboot ignoring the configuration file 


Now 


Delayed by |10 minutes 
At time [15:04 (24 hour clock) 


Wrait for sessions to terminate (don't allow new sessions) 


When to Reboot/Shutdown 


Apply Cancel 
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The Administration>System Reboot window enables you to reboot or shut down (halt) the 
Concentrator with the various options listed below: 


Note If you are logged in to the Manager when the system reboots or halts, it automatically logs 
you out and displays the main login window. 


= Reboot radio button—Terminates all sessions, resets the hardware, loads and verifies the 
software image, executes system diagnostics, and initializes the system. A reboot takes 
approximately 60—75 seconds. 


= Shutdown without automatic reboot radio button—Shuts down the Concentrator; that is, it 
brings the system to a halt so you can turn off the power. Shutdown terminates all sessions 
and prevents new user sessions (but not administrator sessions). 


m™ Cancel a scheduled reboot/shutdown radio button—Cancels a reboot or shutdown that is 
waiting for a certain time, or for sessions to terminate. 


m Save the active configuration at time of reboot radio button—Saves the active configuration 
to the configuration file, and reboots using that new file. 


™ Reboot ignoring the configuration file radio button—Reboots ignoring the existing 


configuration file and without saving the active configuration. It sets the Concentrator back 
to factory defaults (that is, it starts the system as if it had no configuration file). 
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Software Update 


Cisco.com 


Concentrator Hardware client 


= 


_ Internet . 


This section of the Manager lets you update software on the VPN 3000 Concentrator Series or clients. 
Tn the left frame, or in the list of links below, click the function you want: 


¢ Concentrator -- update VPN 3000 Concentrator Series software. 
¢ Clients -- update hardware and software clients. 
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The Administration>Software Update window enables you to update executable system 
software on both the Concentrator and Cisco VPN clients. Select the Concentrator that you want 
to update the Concentrator software. Choose Clients to update the hardware and Windows 
software client. Client software update is discussed later in this lesson. 
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Concentrator—Software Update 


Cisco.com 


_f _ Software 
update 


@) 


Reboot 


This section lets you update the software on your VPN 3000 Concentrator. The VPN 3000 Concentrator will verify the integrity of the software image that 
you download. It will take a few minutes for the upload and verification to take place. Please wait for the operation to finish. 


Current Software Revision: 
Cisco Systems, Inc./¥PN 3000 Concentrator Version 3.6 Beta_2 Jun 26 2002 13:32:36 (DEBUG_MASK 0, NDEBUG off) 


Type in the name of the image file below. The current image file is vpn30004-3.6 Beta_2-k9 bin. 


|Cirel 3_6 sw\vpn3005-3_6_Rel-k9.bin Browse... 
Upload Cancel 
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The Administrator>Software Update>Concentrator window enables you to update the 
Concentrator executable system software (the software image). The new image file must be 
accessible by the workstation you are using to manage the Concentrator. This process uploads 
the file to the Concentrator, which then verifies the integrity of the file. It takes a few minutes to 
upload and verify the software, and the system displays the progress. Wait for the operation to 
finish. 


You must reboot the Concentrator to run the new software image. The system prompts you to 
reboot when the update is finished. 


Caution While the system is updating the image, do not perform any other operations that affect Flash 
memory (listing, viewing, copying, deleting, or writing files). Doing so may corrupt memory. 
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Client—Software Update 


Cisco.com 


Update 
notification 


SeaaH Training 
group 


~ Internet 
. 


Engineering 
group 


Network administrators of remote access VPNs are looking for Cisco to help them push client 
software upgrades to their users in some type of automated, informed fashion. To that end, the 
Concentrator has provided a client update notification feature to notify the software client when 
update software is available. 


Updating client software in an environment with a large number of devices in different locations 
can be a formidable task. For this reason, the Concentrator includes a client update feature that 
simplifies the software update process. This feature works differently for Cisco VPN Software 
Clients and Cisco VPN 3002 Hardware Clients. The Hardware Client and Software Client 
update processes are as follows: 


m Software Clients—The client update feature enables administrators at a central location 
automatically notify Software Client users when it is time to update the Software Client. 
When you enable Client Update, during tunnel establishment the central-site Concentrator 
sends an IKE packet that notifies Cisco VPN Clients about acceptable versions of Software 
Client. It includes a location that contains the new version of software for the Cisco VPN 
Client to download. The administrator for that Software Client can then retrieve the new 
software version, and update the client at a time of their choosing. 


m Hardware Clients—When you enable Client Update for the Hardware Client, during tunnel 
establishment the central-site Concentrator sends an IKE packet that notifies Hardware 
Clients about acceptable versions of executable system software and their locations. If the 
Hardware Client is not running an acceptable version, it automatically attempts to download 
the new revision of code via TFTP. There will be further discussion of the Hardware Client 
update in a later lesson. 
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Windows Client—Enable Update 


Process 
a Cisco.com 


This section of the Manager lets you configure Client Update 
In the left frame, or in the list of links below, click the function you want: 


© Enable -- enable Client Update 
« Entries - configure the client type and URL entries for Client Update. 


Check the box to enable Client Update functionality. 


Enabled [V 


Apply Cancel 


Configuring the VPN Windows Software client auto update is a two-step process: 


Step 1 Enable client update functionality (disabled by default) on the Concentrator. 


1. 


2. 


Choose the Configuration>System>Client Update window and click the Enable link. 


When enabled, the administrator has to decide how to update the clients: globally or by 
group. 


With a global update, all clients are updated to specific releases of software from a specific 
server. Choose the Configuration>System>Client Update>Entries window and enter the 
appropriate information to configure a global update. 


If a more systematic, group-by-group approach is preferred, different servers can update 
different groups at different times to different releases of software. Choose the 
Configuration>User Management>Groups window and enter the appropriate information 
to configure a group update. 


Step 2 Set the update parameters (for example, client type, URL, and Revisions). 
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Windows Client—Global Update 


Process 
aaa | Cisco.com 


This section of the Manager lets you configure Client Update 
In the left frame, or in the list of links below, click the function you went 


© Enable -- enable Client Update 
© Entries -- configure the client type and URL entries for Client Update 


This section lets you configure Client Update entries. 
Click the Add button to add an entry, or select an entry and click Modify or Delete 


Client Update Entries 
Update Entry Actions 


Add client update information. 


bey fwindows Enter the client type (e.g. windows or ypn3002) that is to be updated. 


URL fhttp://10.0.1.10)vpnclientwinris-3.6ReHG.ex: 


Enter the URL of the file from which to update, The URL must point to an appropriate file 
type for the client. 

Enter mma separated list of valid revisions, The URL above musf be one 

revisions 


> Revisions [3.5.Rel 


Add Cancel 


Global software update configuration is defined under the Configuration>System>Client Update 
tree. Complete the following steps to configure the VPN Windows Software Client update: 


Step 1 Choose the Configuration>System>Client Update window and click the Entries link. 


Step 2 From the Configuration>System>Client Update>Entries window, click Add to access the update 
information window. 


Step 3 In the Configuration>System>Client Update>Entries>Add window, enter the client update 
information. The client update fields are as follows: 


m Client Type—The VPN Client identifiers are as follows: 


— Windows—All Microsoft Windows-based platforms (95, 98, ME, NT 4.0, 2000, and 
XP). The following are the Microsoft Windows subset identifiers: 


m Windows 9X—AIl Microsoft Windows 9X-based platforms (95, 98, and ME) 


m Windows NT—AIl Microsoft Windows NT-based platforms (NT 4.0, 2000, and 
XP) 


m= URL—Enter the URL for the software image. For the VPN Client to activate the Launch 
button on the VPN Client notification, the URL must include the protocol HTTP or HTTPS 
and the server address of the site that contains the update. The format is 
http(s)://server_address:port /directory /filename (for example, http://10.0.1.10/ 
clientupdate). All parts of the URL are optional except for the protocol (HTTP or HTTPS), 
and the server address. 
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m Revisions—Enter a comma-separated list of software or firmware images appropriate for 
this client. Your entries must match exactly those on the VPN Windows Software Client, or 
the Hardware Client. For example, if the administrator wants all the clients to be upgraded to 
the released software version for 3.5, enter 3.5.Rel in the revision field. For the exact 
spelling, open the Monitoring>System Status window. If the client is already running a 
software version on the list, it does not need a software update. If the client is not running a 
software version on the list, an update is in order. To do this, a VPN Windows Software 
Client user must download an appropriate software version from the URL listed in the 
notification message. The URL is defined in the previous URL field. 
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Step 1 
Step 2 
Step 3 


Step 4 


Windows Client—Group Update 
Process 


Cisco.com 


Savefa] 
Savel] 
|This section lets you configure groups. A group is a collection of users treated as a single entity. 
‘This section lets you configure Client Update entries. 
Click the Add Group button to add a group, or select a group and click Delete Group or 
Modify Group. To modify other group parameters, select a group and click the appropriate Click the Add button to add an entry, or select an entry 
button and click Modify or Delete. Click Done to finish. 


Actions Current Groups Modify Client Update entries for training 


training (Internally Configured) Update Entry Actions 
Authentication Servers = 


Authorization Servers 


Add Group —$—$—$€—eeeW — Add 
<<< Accounting Servers —— 
Modify Group a Modify 
ee Address Pools —— 


Delete Gi Delete 
Bese Client Update —— 


D 
Bandwidth Assignment Beboter| 


Add client update information. 


: 7 Windows Enter the client type (e.g, windows or vpn3002) thet is to be updated. 


Fp 71001 10Nprchertviis-3 6 Recki.en Sete the URL ofthe fle rom which to update, The URL must point to an appropriate le 
type for the client. 
Es mma separated list of valid revisions. The URL above must be one of these 


3.5.Rel 


Complete the following steps to configure an update on a group-by-group basis: 


Choose the Configuration>User Management>Groups window. 
Select the group in the Current Groups field. 
Click Client Update. 


In the Configuration>User Management>Groups>Client Update>Add window, enter the client 
update information. The group client update fields are as follows: 


m Client Type—The VPN Windows Software Client identifiers are as follows: 


— Windows—All Microsoft Windows-based platforms (95, 98, ME, NT 4.0, 2000, and 
XP). The following are the Microsoft Windows subset identifiers: 


— Windows 9X—AIl Microsoft Windows 9X-based platforms (95, 98, and ME) 
— Windows NT—AIl Microsoft Windows NT-based platforms (NT 4.0, 2000, and XP) 


m= URL—Enter the URL for the software image. For the VPN Client to activate the Launch 
button on the VPN Client Notification, the URL must include the protocol HTTP or HTTPS 
and the server address of the site that contains the update. The format is 
http(s)://server_address:port/directory /filename (for example, http://10.0.1.10/ 
clientupdate). All parts of the URL are optional except the protocol (HTTP or HTTPS) and 
the server address. 


m Revisions—Enter a comma-separated list of software or firmware images appropriate for 
this client. Your entries must match exactly those on the VPN Windows Software Client or 
the Hardware Client. For example, if the administrator wants all the clients to be upgraded to 
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the released software version for 3.5, enter 3.5.Rel in the revision field. For the exact 
spelling, open the Monitoring>System Status window. If the client is already running a 
software version on the list, it does not need a software update. If the client is not running a 
software version on the list, an update is in order. To perform the update, a VPN client user 
must download an appropriate software version from the URL listed in the notification 
message. The URL is defined in the previous URL parameter field. 
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Update Notification Message 
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# ¥PN Client | Notifications ; P4| 


Notifications: 


[1 -Jun 18, 2003 13:29:14] Connect History 


1] Client Software Update 


Message: 


‘Your network administrator has placed an update of the VPN Client at the following location: 
http:/10.0.1.10 


® 2003, Cisco Systems, Inc. All rights reserved CSVPN 4.0—9-40 


The notification message informs a remote user that it is time to upgrade the VPN Client 
software. The notification includes the location where the remote user can obtain the upgrade. 
When you receive an upgrade notification that includes a URL, click Launch to choose the site 
and retrieve the upgrade software. You will receive an upgrade notification every time you 
connect until you have installed the upgrade software. 
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Client Statistics—Notification Button 
a a eee Cisco.com 


& YPN Client - ¥ersion 4.0.1 (Rel) : =/01 x) 


Connection Entries | Status Certificates Log Options Help 


4 Statistics... NS P| Cisco SYSTEMS 


= Notifications... 
Disconnect K Modify Delete 


Connection Entries Besecees | 


|___[ Connection Entiy 


scep! 192.168.1.5 IPSec/UDP 
@ © student1 192.168.1.5 IPSec/UDP 


| Connected to "student1". [Connected Time: 0 day(s), 0:02.07 7) A 
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While connected, you can view the notification message by clicking Notifications on the VPN 
Client Status menu. 
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Bandwidth Management 


Bandwidth Management 


System engineers (20) 


Internet Executives (6) 


Bandwidth management: 
* Bandwidth policing i 
* Bandwidth reservation 


By default, the Concentrator line does not equitably manage packet traffic on a per-group or per- 
user basis. This means that any one group or user, given infinite bandwidth capability, could 
effectively steal almost all available bandwidth capacity of a Concentrator. This can cause all 
other logged in users to experience slower connections. In the figure, the customer has a T1, 
1.544 Mbps, of bandwidth at the central site. There are two remote sites, site B and C, with 384 
K of bandwidth respectively. There are two sets of remote users, system engineers and 
executives. The remote users have DSL and Cable access to headquarters. If all 26 remote users 
connect at the same time and decide to download a large file, their actions could conceivably 
slow down connections between the headquarters and site B and C. 


The bandwidth management feature could be enabled on the Concentrator to distribute the 
bandwidth more equitably. One option is bandwidth reservation. The administrator could 
configure a minimum reserved bandwidth rate per session to prevent connection slow down. For 
example, each remotely connected system engineer has a configured minimum bandwidth 
reservation of 56 Kbps. For another option, if the administrator is concerned about over 
utilization, the Concentrator could be configured for bandwidth policing. The Concentrator can 
place a bandwidth ceiling on data transfers (for example, a maximum transfer rate of 128 Kbps 
per session). The last option is aggregation. The administrator could choose to reserve a pool of 
bandwidth, an aggregation, for a group of users, or a site-to-site link. During peak periods, this 
site-to-site link, or group of users, can access bandwidth from this dedicated pool of bandwidth. 
The pool is reserved for their exclusive use. There is further discussion of these bandwidth 
management options later in this lesson. 
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Bandwidth Policing Overview 


Cisco.com 


Frames Bandwidth policing: 
Exceed * Policing rate 


olicin Fi 
. vate 9 ¢ Burst size 


Exceed 
burst size 


For the bandwidth policing feature, the Concentrator provides a maximum data transfer rate. 
Bandwidth policing sets a maximum limit, a cap, on the rate of tunneled traffic. For example, all 
system engineers can transfer data up to a sustained rate of 56 Kbps while remotely accessing 
the Concentrator. The Concentrator transmits traffic it receives below this rate; it drops traffic 
above this rate. Because traffic is bursty, some flexibility is built into policing. Policing involves 
two thresholds: the policing rate and the burst size. The policing rate is the maximum limit on 
the rate of sustained tunneled traffic. The burst size indicates the maximum size of an 
instantaneous burst of bytes allowed before traffic is capped back to the policing rate. The 
Concentrator allows for instantaneous bursts of traffic greater than the policing rate up to the 
burst rate. But should traffic burst consistently and exceed the burst rate, the Concentrator 
enforces the policing rate threshold. The Concentrator starts to drop frames. 


Bandwidth policing is configurable on both a system and group basis. If group policing is 
configured, every member of the specified group can transmit data according to the group 
bandwidth policing policy. If a remote user is not a member of a predefined group, the remote 
user can transmit data up to the system-wide policing rate. For example, there are two groups of 
remote users, system engineers and executives. The executives have a group policing rate 
defined at 128 Kbps. The system engineers do not have their own group policing rate defined. 
When executives connect to the Concentrator, they can transmit data up to 128 Kbps. When 
system engineers connect, they do not have a policing policy specifically defined for their group. 
They can transmit data up to the system wide policing rate, or in this example, 56 Kbps. 
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Bandwidth Policing Policies 


Cisco.com 


Headquarters 


This section lets you add, modify and delete bandwidth policies. 
Click Add to add a policy, or select a policy and click Modify or Delete. 


Bandwidth Policies Actions 


exec policing = 
LAN-to-LAN reservation 
normal reservation 
executive reservation 
normal policing 


Configure bandwidth poicy parameters. To create a bandwith pelicy, you must enable 2t least one of the checkbcxer. 


Policy Name [normal pal=cy Enter a unique name for this policy. 


1D Bandwidth Reservation Check to reserve a minmum bandwidth per session. 


‘Minimum Bandwidth [56 kops @] Enter the mininum bandwidth 


‘Traffic policing alows youto comrola policing raxe or size of taffic tansmittec or received on an nterface. Traffic thet exceeds the 
policing rate or barst swe is dropped. 
F Policing Cheeketo enable Poicieg 
ae E Enter the policing rae. Traffic below this rete will be transmitted; traffic 
6 fons a , 
Policing Rate eps zbove this rate will te cropped. 
usa pie fia fioeee ca | me ei zmount of data alowedin a burst before excess packets will be 
POR 


Aud Carvel 
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Configuring the bandwidth policing feature is a two-step process. First, the policing policy, or 
policies, is defined. Next, the policies are assigned to an interface, and optionally to groups. To 
configure policing policies, choose the Configuration>Policy Management>Traffic 
Management>Bandwidth Policies window. The bandwidth policy consists of two parts, 
bandwidth reservation on the top half, and policing on the bottom half. (Bandwidth reservation 
will be discussed later in the lesson.) Policing involves two thresholds: the policing rate and the 
burst size. The policing rate is the maximum limit on the rate of sustained tunneled traffic. The 
burst size indicates the maximum size of an instantaneous burst of bytes allowed before traffic is 
capped back to the policing rate. The Concentrator allows for instantaneous bursts of traffic 
greater than the policing rate up to the burst rate. The policing policy parameters are as follows: 


m= Policy Name—Enter a unique policy name that helps you remember the policy you are 
configuring. For example, if this policy focuses on the executive group, you could name it 
executive. 

™ Policing—Select the Enable Policing check box to enable the policing feature. 

m™ Policing Rate—Enter a value for Policing Rate and select the unit of measurement. The 
Concentrator transmits traffic that is moving below the policing rate and drops all traffic that 
is moving above the policing rate. The range is between 56 Kbps and 100 Mbps. The default 
is 56K (bps). Policing rate is defined in units as follows: 
— bps—Bits per second 


— Kbps—Thousands of bits per second 


— Mbps—Millions of bits per second 
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= Normal Burst Size—Enter a value for the normal burst size. The normal burst size is the 
amount of instantaneous burst that the Concentrator can send at any given time. Use the 
following formula to set the burst size: (Policing Rate/8) * 1.5. For example, if you want to 
limit users to 250 Kbps of bandwidth, set the police rate to 250 Kbps and set the burst size to 
46875, that is: (250000 bps/8) * 1.5. Enter the Normal Burst Size and select the unit of 
measurement. The default is a normal burst size of 10500 bytes. Normal burst size is defined 
in units as follows: 


— Bytes—Unit of adjacent bits 
— Kbytes—Thousands of bytes 


— Mbytes—Millions of bytes 


For example, a policy named normal policy is configured for a policing rate of 56 Kbps and 
a normal burst size of 10500 bytes. Any remote user assigned this policy has a maximum 
limit on the rate of sustained tunneled traffic of 56 Kbps. The Concentrator can support an 
instantaneous burst of 10500 bytes before it starts to limit traffic by dropping packets. 
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Bandwidth Policing Configuration 


Cisco.com 
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In a Concentrator, there may be multiple policies defined. In this example, the administrator 
defined the three policing rates, normal, executive, and LAN-to-LAN. A normal policy assigns a 
baseline bandwidth allocation while the executive policy allocates higher thresholds for the 
policing rate and burst size. The LAN-to-LAN policing policy applies to site-to-site tunnels. 
Normal policing policy users are allocated a maximum of 56Kbps of bandwidth with a normal 
burst size of 10500 bytes. This could be the default bandwidth reservation policy for the 
Concentrator. The executive policing policy users are allotted a maximum of 128 Kbps of 
bandwidth with a normal burst size of 24 Kbps. This is a custom policy for remote users who 
need more bandwidth than the reserve bandwidth provided by the normal, default, policy. The 
LAN-to-LAN policing policy allocates a maximum of 384 Kbps of bandwidth with a normal 
burst size of 72 Kbps for a site-to-site tunnel. The administrator can assign a bandwidth 
threshold of 384Kbps to site-to-site tunnels. 
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Interface Policing Configuration 


Cisco.com 


System engineers 


Internet 


— 


Configuring Ethernet Interface 2 (Public). 


Bandwidth Management Parameters 
Attribute [ Value Description 
Bandwidth Management| 7 Check to enable bandwidth management. 
J = Set the link rate that will be applied to all tanneled traffic. The 
Link Rate [1544 Kops [el |defined link rate must be based on available Internet bandwidth and 
not the physical LAN connection rate 
This policy is applied to all VPN tunnels that do not have a group 


ae based Bandwidth Management policy. Policies are configured at 
Bandwidth Policy [normal policing a Configuration | Policy Management | Traffic Management | 


Bandwidth Policies. 


Apply Cancel 


Once policies are defined, they are assigned to a Concentrator interface, public or private, or a 
user group. The interface policy defines the default-policing rate for the Concentrator. If a 
remote user belongs to a group that is not specifically defined a policing rate, the remote user is 
assigned the policing rate defined for the interface. Choose the Configuration>Interfaces> 
Ethernet2>Bandwidth Parameters window to assign a policing policy to the interface. In the 
Configuration>Interfaces>Ethernet2>Bandwidth Parameters Tab window, enable bandwidth 
management on the selected interface, define the link rate for the interface, and assign the policy 
to be used on the interface. The interface bandwidth management parameters are as follows: 


m Bandwidth Management—Select the Bandwidth Management check box to enable 
bandwidth management on this interface. 


m Link Rate—Enter a value for the link rate, and select a unit of measurement. The defined 
link rate must be based on the available Internet bandwidth and not the physical LAN 
connection rate. The default is 1.544 Mbps. If the link rate is less than the sum of the policed 
rates, it is possible that some remote users will never reach the police rate. 


= Bandwidth Policy—Select a policy from the drop-down list. If there are no policies in this 
list, you must choose Configuration>Policy Management>Traffic Management> 
Bandwidth Policies window and define one or more policies. 


Note If bandwidth policing is required in a network, a policing policy must be defined and applied to 
an interface before applying group policing policies. The Concentrator will not allow a group 
policy to be applied first. If an administrator attempts to apply a group policy first, the 
Concentrator will return an error message. 
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In this example, the Internet link is a T1, 1.544 Mbps. The default policy for the interface is 
normal reservation. The normal reservation provides a maximum bandwidth allocation of 56 
Kbps and a burst size of 10500 bytes. System engineers are assigned a policing rate of 56 Kbps. 
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Group Policing Configuration 


Cisco.com 


[Configuration | User Managem System engineers (20) 
This section lets you configure groups. A group is acollection of ui a “4, 


Click the Add Group button to add a group, or select a group anc # 
Modify Group. To modify other group parameters, select a grou # 
button. 


Actions 


Authentication Servers 


Authorization Servers 
Add Group ae eae 


Accounting Servers 
Modify Group 
SS Address Pools 


Client Update 
Bandwidth Assignment 


Delete Group 


Save Needed 


[Configure group-wide bandwidth parameters. To share global available bandwidth, instead of a specific 
keservation, enter 0 in the Bandwidth Aggregation textbox. 


Ethernet 2 (Public) 


Select the bandwidth policy to apply to this interface 


Bandwidth |§————_ Enter the aggregate reserved group bandwidth for this 
sy 0 bps = 
Aggregation Ped interface. 


(Contigare group-snde bandvndth perameters tor each mntertace 


Interface Description 
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Choose the Configuration>User Management Groups window, select a group and select the 
Assign Bandwidth Policy to assign a policing policy to a group of remote users. From the 
Configuration>User Management>Bandwidth Policy> Interfaces window, configure the 
following group bandwidth policy parameters: 


m Policy—Select a policy from the Policy drop-down menu for the group. If you do not want 
to select a policy here, select none. 


= Bandwidth Aggregation—Enter a value for the aggregate group bandwidth to reserve for 
this group and select a unit of measurement. This parameter is discussed later in this lesson. 


If the administrator assigns a policing policy to a group, remote users who belong to this group 
participate in the policing policy applied to the group. If you do not configure a bandwidth- 
policing policy for a group and bandwidth management is enabled on the interface, remote users 
participate in the policy applied to the interface, which is the default policy for the Concentrator 
as a whole. 


In the figure, there is a multigroup remote access scenario, system engineers and executives. The 
administrator assigns different policing policies to each group. The executives group is assigned 
the executive policing policy. The system engineers are not assigned a group policing policy. As 
remote access executives connect to the Concentrator, they are assigned the group policing rate 
of 128 Kbps and a burst size of 24 Kbps. No policing policy is assigned to the system engineers 
group. As remote system engineers connect, they participate in the default policy for the 
interface, 56 Kbps policing rate and a burst size of 10500 bps. 
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Bandwidth Management—Bandwidth 


Reservation 


Headquarters eZ System engineers (20) 


xecutives (6) 


Bandwidth reservation 
Available 
bandwidth 


Bandwidth reservation reserves a minimum amount of bandwidth per session for tunneled 
traffic. As they connect to the Concentrator, each remote user receives a minimum amount of 
bandwidth. When there is little traffic on the box, users receive more than their allocated 
minimum of bandwidth. When the box becomes busy, they receive at least the minimum 
amount. When the combined total of the reserved bandwidth amounts of all active tunnels on an 
interface approaches the limit of the total bandwidth available on that interface, the Concentrator 
refuses further connections to users who demand more reserved bandwidth than is available. 


Suppose the link rate on your public interface is 1.544 Mbps. And suppose you apply a reserved 
bandwidth policy to that interface that sets the reserved bandwidth to 64 Kbps per user. With 
this link rate and policy setting, only a total of 24 concurrent users can connect to the 
Concentrator at one time. (1.544 Mbps per interface divided by 64 Kbps per user equals 24 
connections.) 


m The first user who logs on to the Concentrator reserves 64 Kbps of bandwidth plus the 
remainder of the bandwidth (1,480 Kbps). 


m The second user who logs on to the Concentrator reserves 64 Kbps of bandwidth and shares 
the remainder of the bandwidth (1,416 Kbps) with the first user. 


m When the twenty-fourth concurrent user connects, all users are limited to their minimum of 
64 Kbps of bandwidth per connection. 


m When the twenty-fifth user attempts to connect, the Concentrator refuses the connection. It 


does not allow any additional connections since it cannot supply the minimum 64 Kbps 
reservation of bandwidth to more users. 
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One can think of bandwidth reservation as pieces of a pie. Each remote user is assigned a slice 
of pie, reserve bandwidth. As tunnels are established, each user is assigned a slice of the pie 
until the pie is completely divided. At that point, any new connections requesting a slice of the 
pie are refused the opportunity to establish a connection. 
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Bandwidth Reservation Policy 
Configuration—System Wide 


Cisco.com 


Bandwidth reservation 


This section lets you add, modify and delete bandwidth policies. 
Normal 


Click Add to add a policy, or select a policy and click Modify or Delete. 


Bandwidth Policies Actions 


exec policing = 
LAN-to-LAN reservation 


] . 
ute reavatn xai)|) Available. 
normal policing Mody bandwidth 


Configure bandwidth policy parameters, To create a bandwidth policy, you must enable at least one of the checkboxes. 


Policy Name Enter a unique name for this policy. 


Bandwidth Reservation Check to reserve a minimum bandwidth per session 


Minimum Bandwidth Enter the minimum bandwidth. 


Traffic policing allows you to control a policing rate or size of traffic transmitted of received on an interface. Traffic that exceeds the 
policing rate or burst size is dropped. 
I Policing Check to enable Policing 


Enter the policing rate, Traffic below this rate will be transmitted; traffic 
above this rate will be dropped 


Policing Rate [56 


Enter the amount of data allowed in a burst before excess packets will be 


it 10500 
Normal Burst Size WW scoped 


Apply _| | Cancel 
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Configuring bandwidth reservation is a two-step process. First, the bandwidth reservation 
policies are defined. Next, the policies are assigned to an interface, a LAN-to-LAN connection, 
and optionally to groups. Choose the Configuration>Policy Management>Traffic 
Management>Bandwidth Policies window to configure bandwidth reservation policies. The 
bandwidth policy window consists of two parts, bandwidth reservation on the top half, and 
policing on the bottom half. Under bandwidth reservation, the administrator is setting the 
minimum bandwidth assigned per session for remote users. The bandwidth reservation 
parameters are as follows: 


m Policy Name—Enter a policy name. 


= Bandwidth Reservation—Select the Bandwidth Reservation check box to enable the 
feature. 


= Minimum Bandwidth—Enter the amount of bandwidth reserved per user during periods of 
congestion. Enter a value for the minimum bandwidth and select one of the following units 
of measure: 
— Bps—Bits per second 


— Kbps—Thousands of bits per second 


— Mbps—Millions of bits per second 


In this example, the administrator created a policy called normal reservation. This reservation 
allocates a minimum of 64 Kbps to each remote access session. 


9-60 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Bandwidth Reservation Policy 
Configuration—Group 


This section lets you add, modify and delete bandwidth policies. 


Click Add to add a policy, or select a policy and click Modify or Delete 


Bandwidth Policies 


exec policing 


LAN-to-LAN reservation 


normal reservation 
> [executive reservation 
normal policing 


Actions 


Cisco.com 
Bandwidth reservation 


Normal 
Executive 


Available 
bandwidth 


Configure bandwidth policy parameters. To create a bandwidth policy, you must enable at least one of the checkboxes. 


Policy Name 


executive reservation 


Enter a unique name for this policy, 


Bandwidth Reservation 


Minimum Bandwidth 


Traffic policing allows you to control a policing rate or size 


Check to reserve a minimum bandwidth per session. 


policing rate or burst size is dropped. 


T Policing 


kbps 


TE Enter the minimum bandwidth 


of traffic transmitted or received on an interface, Traffic that exceeds the 


Check to enable Policing. 


Policing Rate [56 


Enter the policing rate. ‘Irattic below thus rate will be transmutted; trattic 


= above this rate will be dropped. 


Normal Burst Size [10500 


Add Cancel 
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Enter the amount of data allowed in a burst before excess packets will be 
dropped. 
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Not all remote users have the same bandwidth requirements. The administrator can configure 
additional policies with different bandwidth reservations. In the figure, the administrator created 
a policy for the executive group. Each member of the executive group requires more bandwidth 
than the minimum allocation of 64 Kbps. A policy was defined which allocates 128 Kbps of 
bandwidth upon connection to the Concentrator. 


In the figure, as each executive connects, they are allocated part of the available bandwidth. The 
amount of bandwidth allocated to each executive is defined by the assigned policy, executive 
reservation. In this policy, each executive receives a minimum of 128 Kbps of reserved 


bandwidth. 
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Bandwidth Reservation Policy 
Configuration—LAN-to-LAN 


| Cisco.com 


This section lets you add, modify and delete bandwidth policies Bandwidth reservation 


Click Add to add a policy, or select a policy and click Modify or Delete. 
Bandwidth Policies Actions ‘“ 
Searels : Available 
LAN-to-LAN reservation . 
normal resewation bandwidth 


normal policing LAN-to-LAN 


Configure bandwidth policy parameters. To create a bandwidth policy, you must enable at least one of the checkboxes 


Policy Name ftaN-to-LaN reservation Enter a unique name for this policy. 


Bandwidth Reservation Check to reserve a minimum bandwidth per session, 


> Minimum Bandwidth [364 Kops [=] Enter the minimum bandwidth. 


Traffic policing allows you to control a policing rate or size of trafic transmitted or received on an interface. Traffic that exceeds the 
policing rate or burst size is dropped 
7 Policing Check to enable Policing 

Enter the policing rate, Traffic below this rate will be transmitted; trafic 
above this rate will be dropped 


Policing Rate [56 


Enter the amount of data allowed in a burst before excess packets will be 
dropped. 


Normal Burst Size |19500 


Apply | _ Cancel 
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In mixed environments where there are both remote access and site-to-site connections, it is also 
possible to reserve bandwidth for the site-to-site tunnels. For site-to-site policies, the minimum 
bandwidth field assigns the bandwidth reservation to the site-to-site tunnel rather than allocating 
bandwidth per user connecting through the tunnel. 


In the LAN-to-LAN policy example above, when a site-to-site tunnel is established, the 
bandwidth reservation for the tunnel is 384 Kbps. The 384 Kbps of bandwidth will then be 
assigned on a tunnel basis, not on a per user basis. 
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Bandwidth Reservation—Public 


Interface Configuration 
a Cisco.com 


Configure bandwidth policy parameters. To create a bandwidth policy, you must enable at least one of the checkboxes 


Policy Name formal reservation Enter a unique name for this policy. 


™ Bandwidth Reservation Check to reserve a minimum bandwidth per session, 


Minimum Bandwidth [64] kbps x] Enter the minimum bandwidth. 


Traffic policing allows you to control a policing rate or size of traffic transmitted or received on an interface. Traffic that exceeds the 
policing rate or burst size is dropped. 


F Policing Check to enable Policing 


Policing Rate 
Configuring Ethernet Interface 2 (Public). 


| Bandwidth Management Parameters 
Apply Cancel | Attribute Value | Description 
[Bandwidth Management| ¥ |Check to enable bandwidth management. 
| |Set the link rate that will be applied to all tunneled traffic. The 


Link Rate||1544 kbps {defined link rate must be based on available Internet bandwidth and 


|not the physical LAM connection rate 


Normal Burst Size |10500 


3 2 or | [based Bandwidth Management policy. Policies are configured at 
7 E 
Bandwidth Pate pope cess |Configuration | Policy Management | Traffic Management | 


| 
| This policy is applied to all VPN tunnels that do not have a group 
(Bandwidth Policies. 


Apply Cancel 
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First, the administrator defines bandwidth reservation policies. Next, the policies are applied to 
interfaces, groups, and site-to-site tunnels. Choose the Configuration>Interfaces>Ethernet 1 2 
3 window, Bandwidth Parameters tab to apply a policy to an interface. The Bandwidth tab 
parameters are as follows: 


= Bandwidth Management—Select the Bandwidth Management check box to enable the 
feature on the interface. 


m Link Rate—Set the link rate applied to all tunneled traffic. The defined link rate must be 
based on the available Internet bandwidth and not the physical LAN connection rate. The 
default is 1.544 Mbps. 


m= Bandwidth Policy—Select a bandwidth policy for this interface. This policy is applied to all 
VPN tunnels that do not have a group based bandwidth management policy. 


If bandwidth reservation is required in a network, a bandwidth reservation policy must be 
defined and applied to an interface before applying group bandwidth reservation policies. The 
Concentrator will not allow a group policy to be applied first. If an administrator attempts to 
apply a group policy first, the Concentrator will return an error message. 


In this example, each remote user not assigned to a group bandwidth reservation policy will 
receive the minimum bandwidth reservation defined by the normal reservation policy. In this 
example, the user would be assigned 64 Kbps of bandwidth. 
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Bandwidth Reservation—Group 
Configuration 


Cisco.com 


Configure group-wide bandwidth parameters. To share global available bandwidth, instead of a specific reservation, enter 0 in the 
Bandwidth Aggregation textbox 


Ethernet 2 (Public) 
Policy |exec reservation a Select the bandwidth policy to apply to this interface 
Bandwidth Aggregation |384 kbps | Enter the aggregate reserved group bandwidth for this interface. 


Apply Cancel 
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For those groups that have different bandwidth requirements, the administrator can define 
group-based bandwidth requirements. Choose the Configuration>User Management>Groups 
window, select a group, and select Bandwidth Assignment. From the Policy drop-down menu, 
select the appropriate policy. In the figure, the policy assigned to the interface reserved 64 Kbps 
of bandwidth for each remote user. This is fine for the system engineers, but the executives 
require a larger bandwidth reservation. From the Policy drop-down menu, the administrator 
selected the executive policy. With this policy, each member of the executive group is allocated 
a minimum bandwidth reservation of 128 Kbps. 
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Bandwidth Aggregation 
ee Cisco.com 


Bandwidth reservation 


Executive 
Available 
bandwidth 


Configure group-wide bandwidth parameters. To share global available bandwidth, instead of a specific reservation, enter 0 in the 
Bandwidth Aggregation textbox. 


Ethernet 2 (Public) 
Policy | exec reservation 7 Select the bandwidth policy to apply to this interface. 


Bandwidth Aggregation |512 bps _¥] Enter the aggregate reserved group bandwidth for this interface. 
Apply Cancel 
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Choose the Configuration>System>Tunneling Protocols>IPSec>IPSec LAN-to-LAN 
window and select the connection you wish to modify by choosing the Modify button. From the 
bandwidth policy drop-down menu, select a bandwidth policy to apply to this IPSec LAN-to- 
LAN connection from the drop-down list. If you do not want to select a policy here, select none. 
When the bandwidth reservation policy is applied to a LAN-to-LAN connection, the 
Concentrator automatically aggregates the bandwidth. The minimum bandwidth is applied to the 
tunnel rather than on a per user basis. This allows you to reserve a specific amount of bandwidth 
for the site-to-site connection. 


In the figure, the LAN-to-LAN policy was defined with a minimum bandwidth of 384 Kbps. 
This policy was applied to the LAN-to-LAN tunnel configurations (only the Site B tunnel 
configuration is shown). Once applied, the Concentrator will aggregate 384 Kbps of bandwidth 
to each LAN-to-LAN tunnel. 


Note If the bandwidth reservation is enabled and the administrator selects None from the LAN-to- 
LAN Bandwidth Policy drop-down menu, the LAN-to-LAN tunnel contends for system wide 
bandwidth, a default user. If no reservation is applied and the tunnel drops, there is no 
guarantee that the LAN-to-LAN tunnel can reconnect if other default remote users make a 
connection before the LAN-to-LAN tunnel reestablishes its connection. It is suggested that, if 
bandwidth reservation is applied to the network, a LAN-to-LAN bandwidth reservation policy 
should be defined and applied. 
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LAN-to-LAN Bandwidth Reservation 
Configuration 


| Cisco.com 
Bandwidth reservation 


Site B 


Configure bandwidth policy parameters. To create a bandwidth policy, you must enable a 


Policy Name LaN-to-LAN reservation Enter a unique name for 


Available 
bandwidth 


™ Bandwidth Reservation Check to reserve a mini 


Minimum Bandwidth [354 kbps ¥] — Enter the minimum bandwidth, 


Traffic policing allows you to control a policing rate or size of traffic transmitted or received on an interface. Traffic that exceeds the 
policing rate or burst size is dropped 


DP Policing Check to enable Policing 


ea Ee Enter the policing rate. Traffic below this rate will be transmitted; traffic 
56 ’ 
Policing Rate Wipe Tove this ate wil be dropped 


Normal Burst Size [20500 [bytes =] ee - amount of data allowed in a burst before excess packets will be 


Apply Cancel 


Configuring bandwidth reservation alone may lead to a scenario in which high priority, high 
bandwidth, users are unable to connect to a congested Concentrator because of their bandwidth 
requirements. In this example, the Concentrator provides a feature called bandwidth 
aggregation. Bandwidth aggregation allows a particular group to reserve a fixed portion of the 
total bandwidth on the interface. (This fixed portion is known as an aggregation.) Then, as users 
from that group connect, each receives a part of the total bandwidth allocated for that group. 
When one group makes a reserved bandwidth aggregation, it does not affect the bandwidth 
allocated to users who are not in that group. However, other users are now sharing a smaller 
amount of the total bandwidth. Fewer users can connect. One can think of bandwidth reservation 
as pieces of a pie. Each group is assigned a slice of pie, aggregate bandwidth. As tunnels are 
established, each user is assigned part of the slice until the slice is completely divided. At that 
point, any new connections requesting a slice of the piece are refused a connection. Choose the 
Configuration>User Management>Groups>Bandwidth Policy>Interfaces window to assign 
a bandwidth aggregation. Configure the following parameters: 


m Policy—Select a bandwidth policy from the Policy drop-down menu. 


m Bandwidth Aggregation—Enter a value for the minimum bandwidth to reserve for this 
group and select a unit of measure. 


In the figure, the executive group is assigned a bandwidth aggregation of 512 Kbps. As each 
executive connects, they are allocated part of the 512 Kbps aggregated bandwidth. The amount 
of bandwidth allocated to each executive is defined by the assigned policy. In this case, each 
executive reserves bandwidth of 128Kbps. Executive users are allocated bandwidth until their 
512 Kbps slice of the bandwidth pie has been allocated. 
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Bandwidth Session Statistics 
a ee Cisco.com 


Reset @ Refresh®| 


Connection Name | IP Address Protocol Encryption | Login Time _ | Duration | Bytes Tx | Bytes Rx 
lpod6 {192 168.1.5 |IPSec/LAN-to-LAN |3DES-168 [Sep 17 09:37:17 lo 06:17 32496 | 728 


Bandwidth Statistics 

Traffic Rate (kbps) Traffic Volume (bytes) 
Conformed [ Throttled Conformed |Throttled | 
pod6 dn) [Ethernet 2 Public) 0] 0 1534 0) 
lpod6 (Out) {Ethernet 2 (Public) o| 0 43470 0 


User Name Interface 


IKE Sessions: 1 
IPSec Sessions: 2 
IKE Session 
Session ID|1 Encryption Algorithm 3DES- 168 
Hashing Algorithm |MD5 Diffie-Hellman Group |Group 2 (1024-bit) 
Authentication Mode [Pre-Shared Keys IKE Negotiation Mode [Main 
Rekey Time Interval |26400 seconds 


IPSec Session 
Session ID [2 Remote Address) 192.168.1.5 
Local Address |192.168.6.5 Encryption Algorithm |2DES-168 
Hashing Algorithm [MD5 Encapsulation Mode (Tunnel 
Rekey Time Interval |2800 seconds 
Bytes Received |728 Bytes Transmitted [672 
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Choose the Administration>Administer Sessions>Detail window to view individual session 
bandwidth management statistics. This window shows details of the effects of bandwidth 
management policies on each tunnel. Only tunnels on which bandwidth management policies are 
enabled appear on this screen. The bandwidth statistics parameters are as follows: 

m User Name—The user name identifying a tunnel using a bandwidth management policy 


m Traffic Rate—The rate at which traffic is transmitted. Measured in kilobits per second 


— Conformed—tThe current rate of session traffic (as set by the bandwidth management 
policy) 


—  Throttled—The rate at which packets are being constrained to maintain the conformed 
rate 


m Traffic Volume—Measured in bytes 


— Conformed—The number of bytes of session traffic (as set by the bandwidth 
management policy) 


— Throttled—The number of bytes being throttled to maintain the conformed rate 
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Bandwidth Monitoring Statistics 
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Reset # Refresh@| 


This screen shows bandwidth management information. To refresh the statistics, click Refresh. Select a Group to filter the users. 


Group |--All- x 


Traffic Rate (kbps) Traffic Volume (bytes) 
Conformed Throttled Conformed Throttled 
pod6 (In) Ethemet 2 (Public) 826 
pod6 (Out) Ethernet 2 (Public) 42432 


User Name Interface 


Choose the Monitoring>Statistics>Bandwidth Management window to view bandwidth 
management session statistics. This window shows details of the effects of bandwidth 
management policies on each tunnel. Only active tunnels on which bandwidth management 
policies are enabled appear in this window. The bandwidth management statistics parameters are 
as follows: 

m User Name—The user name identifying a tunnel using a bandwidth management policy 


m Traffic Rate—Measured in kilobits per second 


— Conformed—tThe current rate of session traffic (as set by the bandwidth management 
policy) 


—  Throttled—The rate at which packets are being throttled to maintain the conformed rate 
m Traffic Volume—Measures in bytes 


— Conformed—The number of bytes of session traffic (as set by the bandwidth 
management policy) 


— Throttled—The number of bytes being throttled to maintain the conformed rate 
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Administration—Ping 
a Cisco.com 


This screen lets you test network connectivity. Please wait for the operation to complete. 


Address/Hostname to Ping |192.168.1.5 


@® 192.168. 1.5 is alive. 
Continue | 
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The Administration>Ping window enables you to use the ICMP ping utility to test network 
connectivity. Specifically, the Concentrator sends an ICMP Echo Request message to a 
designated host. If the host is reachable, it returns an echo reply message and the Manager 
displays a Success window. If the host is not reachable, the Manager displays an Error window. 
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TFTP Transfer 


ee Cisco.com 


This screen lets you transfer files to/ftom the VPN 3000 Concentrator Series. Please wait for the operation to 


finish. 


Concentrator File Action TFTP Server TFTP Server File 
[GET « 7 
OK Cancel | 
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The Administrator>File Management>TFTP Transfer window enables you to use TFTP to 
transfer files to and from the Concentrator Flash memory. The Concentrator acts as a TFTP 
client for these functions, accessing a TFTP server running on a remote system. All transfers are 
made in binary mode, and they copy, rather than move, files. 


To use the TFTP functions, complete the following fields (you must have access rights to read 
and write files): 


m= TFTP Get—Get a file from the remote system (that is, copy a file from the remote system to 
the Concentrator). 


m= TFTP Put—Put a file on the remote system (that is, copy a file from the Concentrator to the 
remote system). 


m TFTP Server—Enter the IP address or host name of the remote system running the TFTP 
server. (If you configured a DNS server, you can enter a host name; otherwise, enter an IP 


address.) 


= Concentrator File—Enter the name of the file on the Concentrator. 


Caution If either filename is the same as an existing file, TFTP overwrites the existing file without 
asking for confirmation. 
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Summary 


This topic summarizes what you learned in this lesson. 


Summary 


ae | Cisco.com 


¢ Many items can be monitored, including system 
status, interface statistics, power supply status, 
and statistics on the various protocols in use. 


* Administration consists of configuring access 
rights, configuring ACLs, updating the software 
image, and performing file management. 


* Bandwidth management can be enabled to 
distribute bandwidth more equitably. 
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¢ An administrative ping can be used to test 
connectivity. 


¢ TFTP transfer is available for file transfers. 
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Lab Exercise—Cisco VPN 3000 Series 
Concentrator Monitoring and Administration 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


In this lab exercise you will monitor and administer newly installed Cisco Virtual Private 
Network (VPN) 3000 Series Concentrators. Work with your lab exercise partner to complete the 
following tasks: 

= Complete the lab exercise setup. 

= Monitor the Cisco VPN 3000 Series Concentrator system status. 

= Monitor the Cisco VPN 3000 Series Concentrator system events. 

= Modify and test anew Cisco VPN 3000 Series Concentrator user account. 

m™ Restore the original Cisco VPN 3000 Series Concentrator user account settings. 

m Update the Cisco VPN 3000 Series Concentrator software. 

m View and copy configuration files. 

= Configure bandwidth management policies. 

m Add bandwidth management policies. 


= Monitor bandwidth management statistics. 


m Configure the Cisco VPN 3000 Series Concentrator for TACACS+ administration account 
authentication. 


m= Restore the original administrator account and disable TACACS+ administrator account 
authorization. 


m Disable Split Tunneling and firewall required. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


Cisco.com 


(>. 172.26.26.0 150 «<<a 
172.26.26.P oo 
— 100 


Student 
VPN Client 192.168.P.0 


Scenario 


Your employer has asked you to administer the newly installed Concentrators in your network. 


Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify your equipment is setup as follows: 
m Ensure that your student PC is powered on. 
m Ensure that your student PC IP addresses are configured correctly: 


— Primary IP address—172.26.26.P 
(where P = pod number) 


— Default gateway IP address—172.26.26.150 


m Ensure that your Concentrator is powered on. 
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Task 2—Monitor the Cisco VPN 3000 Series Concentrator System 


Status 


Step 1 
Step 2 


Step 3 


Step 4 


Step 5 


Step 6 
Step 7 


Step 8 
Step 9 


Complete the following steps to log in and monitor the Concentrator system status: 


Launch Internet Explorer by double-clicking the desktop icon. 


Enter the Concentrator’s public interface IP address of 192.168.P.5 in the Internet Explorer 
Address field. Internet Explorer connects to the Cisco VPN 3000 Concentrator Series Manager. 


(where P = pod number) 


Log in to the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 


Login: admin 


Password: admin 
The username (login) and password are always case sensitive. 


From the Monitoring menu tree, drill down to System Status and answer the following 
questions: 


Ql) ~~ What is the Software Rev? 


A) 
Q2) What is the RAM size? 


A) 


Q3) The system has been up since when (last time booted)? 


A) 


Click the Concentrator power supply graphic and answer the following question: 
Q4) Are the voltages OK? 


A) 


Click Back. 


Click the Concentrator private interface port graphic and answer the following questions: 
Q5) — What is the IP address of the port? 


A) 


Q6) What is the status of the port? 


A) 


Click Back. 


Click the Concentrator public interface port graphic and answer the following questions: 


Q7) — What is the IP address of the port? 
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A) 


Q8) What is the status of the port? 


A) 


Step 10 Click Back. 


Step 11 View the fan status and answer the following questions: 
Q9) What is the speed of fan 1? 


A) 
Q10) What is the speed of fan 2? 


A) 


Q11) What is the temperature inside the chassis? 


A) 


The larger Concentrator models (3015 and above) enable you to drill down to System 
Status>LED Status from the Monitoring menu tree. This feature enables you to view the state of 
the front panel LEDs. 


Task 3—Monitor the Cisco VPN 3000 Series Concentrator System 
Events 


Complete the following steps to monitor the Concentrator system events: 


Step 1 From the Configuration menu tree, drill down to System>Events>General and answer the 
following questions: 


Q12) Is Save Log on Wrap enabled? 


A) 
Q13) What are the three Save Log formats? 


A) 
B) 
C) 
Q14) Is FTP saved log on wrap enabled? 


A) 


QI5) What is the range of severity captured to the log? 


A) 


Q16) What is the range of severity captured to the console? 
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Step 2 
Step 3 
Step 4 


Step 5 


Step 6 


Step 7 
Step 8 
Step 9 
Step 10 
Step 11 


Step 12 


Step 13 
Step 14 


Step 15 


Step 16 
Step 17 


Step 18 
Step 19 
Step 20 
Step 21 


A) 


Q17)_ Are there any logged events sent to Syslog, E-mail, or SNMP traps? 


A) 


Click Cancel. 

From the Monitoring menu tree, drill down to Filterable Event Log. 

In the Client IP Address field, enter your student PC’s primary IP address. 
Click |<< and answer the following question: 


Q18) What, if anything, did you see? 


A) 


Click Get Log. Answer the following question: 
Q19) What happened? 


A) 


Close the log Internet Explorer window. 

Set the Client IP address back to 0.0.0.0. 

Click Save Log. The Internet Explorer user prompt window opens. 

Enter a filename: LOG2. 

Click OK. 

From the Administration menu tree, drill down to File Management. Answer the following 
question: 


Q20) Is LOG2 listed as one of the files? 


A) 


For LOG2 under the actions column, click View. 
Close the window. 


For LOG2 under the actions column, click Delete (delete only the LOG2 file). The Are you sure 
you want to delete LOG2 message opens. 


Click OK. 


From the Administration>File Management window, select XML Export. The 
Administration>File Management>XML Export window opens. 


In the File Name field, enter FILEXML and click Export. The Success window opens. 
Click Continue. The Administration>File Management window opens. 
For FILEXML under the Actions column, click View. An Internet Explorer window opens. 


From the Internet Explorer tool bar in the window, select Edit>Find (on this page). The Internet 
Explorer Find window opens. 
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Step 22 In the Find what field, enter Ethernet and click Find Next. From the Ethernet category, answer 
the following questions: 


Q21) What is the <index> number? 


A) 
Q22) What is the <addr_setting>? 


A) 
Q23) What is the <ipaddr> setting? 


A) 
Q24) What is the <subnet> address? 


A) 


Step 23. In the Find window, click Cancel. 
Step 24 Close the FILEXML Internet Explorer window. 


Step 25 Under the actions column of the FILEXML row, click Delete (delete only the FILEXML file). 
The Are you sure you want to delete FILEXML message opens. 


Step 26 Click OK. 


Task 4—Modify and Test a New Cisco VPN 3000 Series Concentrator 
User Account 


In this task, modify the access rights of a default user account and test new access capabilities. 
Complete the following steps to modify and test a default user account using the Cisco VPN 
3000 Concentrator Series Manager: 


Step 1 From the Administration menu tree, drill down to Access Rights>Administrators. 
Step 2 Go to the user account line and click Modify. 
Step 3 Change User Name to userP. 
(where P = pod number) 
Step 4 Change Password to userP. 
(where P = pod number) 
Step 5 Change Verify to userP. 
(where P = pod number) 
Step 6 Change Authentication to View Config. 
Step 7 Change General to View Config. 
Step 8 Change SNMP to View Config. 
Step9 Leave Files at Read Files. 


Step 10 Click Apply. 
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Step 11 


Step 12 
Step 13 


Step 14 


Step 15 
Step 16 


Step 17 


Step 18 


Step 19 


Enable the userP account by selecting the Enabled check box. 

(where P = pod number) 

Click Apply. 

Log out of the Concentrator. 

Log in to the Cisco VPN 3000 Concentrator Series Manager using the new userP account: 


Login: userP 


Password: userP 
(where P = pod number) 


From the Configuration menu tree, drill down to Interfaces>DNS Server(s). 
De-select the Enabled check box. 
Click Apply. 


Q25) What message did you receive? Why? 


A) 


From the Administration menu tree, drill down to Access Rights and answer the following 
question: 


Q26) What message did you receive? Why? 


A) 


Log out of the Concentrator. 


You have successfully modified and tested the user account. Now restore the original account 
settings. Resetting the Concentrator to factory defaults does not return the original access 
account settings. Returning accounts to their original settings must be done manually. 


Task 5—Restore the Original Cisco VPN 3000 Series Concentrator User 
Account Settings 


Step 1 


Step 2 
Step 3 


Step 4 


In this task, return the modified user account back to its default values. Complete the following 
steps to restore the original settings for the user account: 


Log into the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 


Login: admin 


Password: admin 
From the Administration menu tree, drill down to Access Rights>Administrators. 
Locate the userP account line and click Modify. 


(where P = pod number) 


Click Default. Answer the following question: 


Q27) What happened to the Enabled check box? 
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Step 5 


Step 6 
Step 7 
Step 8 
Step 9 
Step 10 


Step 11 


A) 


When you click Default, two things happen: the account is disabled and the access 
rights are reset to Stats Only. 


Locate the userP account line and click Modify. Answer the following question: 
(where P = pod number) 
Q28) What happened to the access rights? 


A) 


Change the username to user. 

Change the password to user. 

Change verify to user. 

Click Apply. 

From the Administration menu tree, drill down to Access Rights>Access Settings and answer 
the following questions: 


Q29) What is the session idle timeout setting? 


A) 


Q30) By default, the Concentrator allows a maximum of how many administration sessions? 


A) 


Q31) By default, does the Concentrator configuration file contain encrypted data? 


A) 


When configuration file encryption is selected (the default), it does not apply to the entire 
contents of the configuration file. Only passwords and other security-related parameters within 
the configuration file are encrypted. 


Click Cancel. 


Task 6—Update the Cisco VPN 3000 Series Concentrator Software 


Step 1 
Step 2 
Step 3 
Step 4 
Step 5 
Step 6 


Complete the following steps to practice using the Cisco VPN 3000 Series Concentrator 
software update utility: 

From the Administration menu tree, drill down to Software Update. 

Select Concentrator. The Administration>Software Update>Concentrator window opens. 
Click Browse and open the desktop TFTP folder. 

Select the Cisco VPN 3005 release 4.0.x.Rel binary (.bin) file. 

Click Open. 


Click Upload. The Software Update Progress message window opens, followed by the Software 
Update Success window. Wait until the software update is completed before continuing. 
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Step 7 


Step 8 
Step 9 
Step 10 
Step 11 
Step 12 


Step 13 


Select Click here to go to the reboot options. The Administration>System Reboot window 
opens. 


Select the action to take: Reboot. 

Select the type of reboot to perform: Reboot without saving active configuration. 

Select the time to perform the reboot or shutdown: Now. 

Click Apply and wait for the reboot to complete. 

Log into the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 
Login: admin 

Password: admin 


From the Monitoring menu tree, drill down to System Status and answer the following question: 


Q32) What is the current software revision? 


A) 


Task 7—View and Copy Configuration Files 


Step 1 
Step 2 


Step 3 


Step 4 
Step 5 
Step 6 


Complete the following steps to make copies of the Concentrator configuration files: 


From the Administration menu tree, drill down to File Management. 


Locate the CONFIG file and click View. A new Internet Explorer window opens displaying the 
contents of the CONFIG file. Answer the following questions: 


Q33) What is the [system] name? 


A) 
Q34) What is the [Access] timeout setting? 


A) 


Q35) What is [Access] maxsession setting? 


A) 


Locate the password parameter using Edits>Find under the Internet Explorer Toolbar, and 
answer the following question: 


Q36) Is the password encrypted? 


A) 


Remember that the default setting for configuration files is to encrypt all passwords and security- 
related parameter values. 


Close the Internet Explorer window containing the CONFIG file contents. 
Locate the CONFIG file and click Copy. The Enter filename to copy to message window opens. 


Enter a filename: backup1. Filenames must meet the standard <8.3 notation rule. 
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Step 7 


Step 8 


Step 9 


Click OK and answer the following question: 
Q37) Is the backup! file listed in the Administration>File Management window? 


A) 


Locate the backup! file and click Delete. The Are you sure you want to delete Backup! message 
box opens. 


Click OK. 


Task 8—Configure Bandwidth Management Policies 


Step 1 


Step 2 


Step 3 


Configuring bandwidth management is a two-step process. First, configure the bandwidth 
management policy. Second, apply the policy to the interface and groups. Complete the 
following steps to configure the policy: 


From the Configuration menu tree, drill down to Policy Management>Traffic 
Management>BW Policies. The Policy Management>Traffic Management> Bandwidth Policies 
window opens. 


Click Add under the Actions column. The Policy Management>Traffic Management>Bandwidth 
Policies>Add window opens. Complete the following sub-steps to add a bandwidth reservation 
policy: 


1. In the Policy Name field, enter normal reservation. 


2. Select the Bandwidth Reservation check box. 


Q38) What is the default minimum bandwidth? 


A) 


3. Click Add. 


Click Add under the Actions column to create a second policy for the training group. The Policy 
Management>Traffic Management>Bandwidth Policies>Add window opens. Complete the 
following sub-steps to add a bandwidth reservation policy: 


1. In the Policy Name field, enter training. 
2. Select the Bandwidth Reservation check box. 
3. In the Minimum Bandwidth field, enter 64. The units should be Kbps. 


4. Click Add. 


Task 9—Add Bandwidth Management Policies 


Step 1 


In the previous task, you configured the bandwidth management policies. In this task, apply the 
policies to the public interface and training group. Complete the following steps to add the 
policies: 


Complete the following sub-steps to add the bandwidth reservation policy to the public interface: 
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Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


1. From the Configuration menu, drill down to Interfaces. 


2. Inthe Configuration>Interfaces window, click Ethernet 2 (Public). The Configuration> 
Interfaces>Ethernet2 window opens. 


3. Select the Bandwidth tab. 


4. Select the Bandwidth Management check box. 


Q39) What is the default link rate? 


A) 


5. From the Bandwidth Policy drop-down menu, select normal reservation. 

6. Click Apply. 

Complete the following sub-steps to add the bandwidth reservation policy to the training group: 
1. From the Configuration menu, drill down to User Management>Groups. 

2. Under Current Groups, select training. 


3. Under the Modify column, click Bandwidth Assignment. The Configuration>User 
Management>Groups>Bandwidth Policy window opens. 


4. Under the Interface column, click Ethernet 2 (Public). The Configuration>User 
Management>Groups>Bandwidth>Interfaces window opens. 


5. From the Policy drop-down menu, select training. 
6. Click Apply. 
7. Save your work. 


Log out of the Concentrator. 


Choose Start>Programs>Cisco Systems VPN Client>VPN Client. Verify that the connection 
entry is studentP. 


(where P = pod number) 


Verify that the IP address of remote server is set to a Cisco VPN 3000 Series Concentrator’s 
public interface IP address of 192.168.P.5. 


(where P = pod number) 


Click Connect. The Connection History window opens and several messages flash by quickly. 
Complete the following sub-steps: 


1. Enter studentP when you are prompted for a username. 
(where P = pod number) 


2. Enter studentP when you are prompted to enter a password. 
(where P = pod number) 


Click OK. 
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Step 8 The window closes and a Cisco VPN Client icon appears in the system tray. 


Task 10—Monitor Bandwidth Management Statistics 


In the previous task, you configured the bandwidth management policies and applied the policies 
to the public interface and training group. In this task, you will monitor the bandwidth 
management statistics. Complete the following steps to monitor bandwidth management 
statistics: 


Step 1 Log in to the Cisco VPN 3000 Concentrator Series Manager private interface using the 
administrator account: 


Login: admin 


Password: admin 
The username (login) and password are always case sensitive. 


Step 2 From the Monitoring menu, drill down to Statistics>Bandwidth Mgmt. The Monitoring> 
Statistics>Bandwidth Management window opens. 


Q40) Under User Name column, what name is listed? 


A) 
Q41) What Interface is listed? 


A) 


Step 3 Click Reset to clear the statistics. 


Step 4 Click Refresh three or four times. From the StudentP (Out) row, provide the following 
information: 


Q42) What is the conformed traffic rate? 


A) 
Q43) What is the throttled traffic rate? 


A) 


Q44) What is the conformed traffic volume? 


A) 


Q45) What is the throttled traffic volume? 


A) 


Step 5 From the Monitoring menu, drill down to Remote Access Sessions under Sessions. 
Step 6 In the Monitoring>Sessions window, select StudentP. 
(where P = pod number) 


Step 7 From the Bandwidth Statistics for studentP (Out) row, answer the following questions: 
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Q46) What is the conformed traffic rate? 


A) 


Q47) What is the throttled traffic rate? 


A) 


Q48) What is the conformed traffic volume? 


A) 


Q49) What is the throttled traffic volume? 


A) 


Task 11—Configure the Cisco VPN 3000 Series Concentrator for 
TACACS+ Administration Account Authentication 


As a Terminal Access Control Access Control System (TACACS+) administrator, you need to 
know how to administer the Concentrator administration accounts. Complete the following steps 
to administer the Concentrator administrator accounts using the Cisco VPN Concentrator Series 
3000 Manager and TACACS+: 


Step 1 From the Administration menu tree, drill down to Access Rights>Administrators. 


Step 2 Locate the Admin username line and click Modify. Complete the following sub-steps: 


1. 


2. 


3: 


Set AAA Access Level to 3. The AAA access level must match the privilege level set on the 
TACACS+ server. 


Click Apply. The Administration>Access Rights>Administrator window opens. 


Click Apply. 


Step 3 From the Administration menu tree, drill down to Access Rights>AAA Servers> 
Authentication and complete the following sub-steps: 


1. 


2. 


4. 


BE 


Click Add. 


Enter the authentication server IP address 10.0.P.10. 
(where P = pod number) 


Enter the server secret: secretkey. Server secrets are always case sensitive and must be 
entered exactly as shown here. 


Verify the server secret: secretkey. 


Click Add. The Access Rights>AAA Servers>Authentication window opens. 


Step 4 From the Administration>Access Rights>AAA Servers>Authentication window, complete the 
following sub-steps to test the ability of the Concentrator to reach the TACACS+ authentication 
server: 


1. 


Select the IP address of the authentication server 10.0.P.10. 
(where P = pod number) 
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Step 5 
Step 6 
Step 7 
Step 8 


Step 9 


2. Click Test. 


3. Enter the username: studentP. 
(where P = pod number) 


4. Enter the password: training. 


5. Click OK. The process may take several moments to complete. Answer the following 
question: 


Q50) What message did you receive? 


A) 


Caution The test must be successful before you proceed. 


From the Monitoring menu tree, drill down to Filterable Event Log. 
Click Clear Log. 
Log out of the Concentrator. 


Log in to the Cisco VPN 3000 Concentrator Series Manager using the TACACS+ studentP 
(where P = pod number) account. This administrator account resides on the TACACS+ server 
and is not the same account as any Concentrator studentP account used previously. During this 
login attempt, the Concentrator will verify the login and password with the TACACS+ server. 


Login: studentP 


Password: training 
(where P = pod number) 
It takes a few moments for the authentication to complete. 


From the Monitoring menu tree, drill down to Filterable Event Log. Answer the following 
question: 


Q51) Did the TACACS+ authentication server authenticate the studentP (where P = pod 
number) account? 


A) 


Task 12—Restore the Original Administrator Account and Disable 
TACACS+ Administrator Account Authorization 


Step 1 


Step 2 


Complete the following steps to set the administration settings for the Concentrator back to their 
defaults: 


From the Administration menu tree, drill down to Access Rights>Administrators. 


Locate the administrative account line and click Modify. Complete the following sub-steps: 
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1. Set the AAA access level to 0. Setting the AAA access level to 0 tells the Concentrator to 
authenticate the administrator user locally. This disables TACACS+ authentication of the 
selected administrator account. 


2. Click Apply. The Administration>Access Rights>Administrator window opens. 


3. Click Apply. 


Step 3 From the Administration menu tree, drill down to Access Rights>AAA Servers> 
Authentication and complete the following sub-steps: 


1. Select the IP address of the authentication server. 


2. Click Delete. This removes the TACACS+ authentication server from the Concentrator 
configuration. 


3. Save the configuration changes. 


Task 13—Disable Split Tunneling and Firewall Required 


In the previous tasks, the Concentrators used split tunneling and a firewall. For the next lab 
exercise, you will disable split tunneling and a firewall is not required. For a VPN tunnel to 
connect, the Concentrator must be reconfigured. Complete the following steps to modify the 
VPN tunnel and firewall settings: 


Step 1 From the Configuration menu tree, drill down to User Management>Groups. The 
Configuration>User Management>Groups window opens. 


Step 2. Choose training from the Current Groups list and click Modify Group. The Configuration>User 
Management>Groups>Modify training window opens. 


Step 3 Select the Client FW tab. 

Step 4 Select No Firewall in the Firewall setting group box. 

Step 5 Select the Client Config tab. 

Step 6 Go to the Split Tunneling group box and select Tunnel Everything. 
Step 7 Scroll down to the bottom of the window and click Apply. 

Step 8 Save the changes. 


Step 9 Log out of the Concentrator, and close Internet Explorer. 
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Configure the Cisco VPN 3002 
Hardware Client for Remote 
Access Using Pre-Shared Keys 


Overview 


This lesson includes the following topics: 
m Objectives 


m Cisco VPN 3002 Hardware Client remote access with pre-shared keys 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
Re MMMM ~|S~S!S*é«SCOWcom 


Upon completion of this lesson, you will be 
able to perform the following tasks: 


* Configure the Cisco VPN 3002 Hardware Client 


for client mode remote access. 


¢ Configure the Cisco VPN 3002 Hardware Client 
for network extension mode remote access. 


¢ Monitor the status of the Cisco VPN 3002 
Hardware Client. 
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Cisco VPN 3002 Hardware Client Remote 
Access with Pre-Shared Keys 


This lesson explains how to configure the Cisco Virtual Private Network (VPN) 3002 
Hardware Client for remote access. 


Remote Access 


Cisco.com 


Remote User 
¢ Single user 
« SOHO 


If a single remote user wants the ability to dial into the corporate network, typically the VPN 
software client is loaded onto the PC, which enables the remote user to establish secure 
communications with the central site. With the client resident on the PC, the user does not have 
to carry any external hardware. The caveat is that the software client works for only the single 
PC on which it is installed. 


Small Office/Home Office (SOHO) is better positioned to use the Hardware Client. Just plug 
the SOHO PCs into the Hardware Client. The Hardware Client establishes secure 
communications for all the SOHO PCs. The Hardware Client supports up to 253 users. There is 
no need to add any VPN applications to the SOHO PC. The Hardware Client takes care of all 
the tunneling requirements. 
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Remote Access Tunnel 
a eae, Cisco.com 


Application 
server 


Hardware 
Client 


Internet 


— 


IPSec tunnel or session 


In the example, the Cisco VPN software client was ported over to the Hardware Client. The 
Hardware Client provides the VPN software client functionality on a hardware platform. The 
Hardware Client works with the Cisco VPN 3000 Series Concentrator to create a secure 
connection, called a tunnel, between your computer and the private network. It uses Internet 
Key Management (IKE) and IPSec tunneling protocols to make and manage the secure 
connection. No applications need to be added to the SOHO PC to perform the tunneling. 


10-4 Cisco Secure Virtual Private Networks 4.1 Copyright © 2005, Cisco Systems, Inc. 


Hardware Client Modes 
ea, Cisco.com 


PAT 


Client mode f\ 


y 


192.168.10.2 


are i 172.26.26.1 192.168.10.3 
Gaus 10.0.1.12 


192.168.1.5 — 
192.168.10.22 


10.0.1.10 172.26.26.2 192.168.10.23 
10.0.1.22 


Network extension 


mode 10.0.2.12 
Giranc? 172.26.26.1 10.0.2.13 


192.168.1.5 = 


10.0.3.22 
172.26.26.2 10.0.3.23 


Client and network extension modes are the two modes of operation in the Hardware Client: 


m The client mode is for those who want to deploy a VPN quickly and easily in small remote 
offices. If there is no need to see the devices behind the Hardware Client, and ease of use 
and installation is the key, then client mode should be implemented. In client mode, the 
Hardware Client uses Port Address Translation (PAT) to isolate its private network from 
the public network. SOHO PCs behind the Hardware Client are invisible to the outside 
world. PAT causes all traffic from the SOHO PCs to appear on the private network as a 
single source IP address. In the above example, the Hardware Client receives a virtual IP 
address, 10.0.1.12 or 10.0.1.22 respectively, from the Concentrator during tunnel 
establishment. All remote PCs addresses in the client mode section have their IP address 
translated to either 10.0.1.12 or 10.0.1.22, depending on which network they reside on. 


m Innetwork extension mode, all SOHO PCs on the Hardware Client network are uniquely 
addressable via the tunnel. This allows direct connection to devices behind the Hardware 
Client. It enables Management Information Systems (MIS) personnel at the central site to 
directly address devices behind the Hardware Client over the IPSec tunnel. Most companies 
use the Hardware Client in network extension mode. 
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Application Client IP 


Remote Access Tunneling—Hardware 
Client Mode 


Cisco.com 


VPN private IP 


»_ ISP 


ji Internet 


VPN public IP, 
192.168.1.5 ; 172.26.26.1 |! 


I 
IPC IP address 
10.0.1.10 400.112 ao2-tee.t0.2 


eed 


PAT 


server address 


In the figure, there is a small remote office with a Hardware Client and a PC. The remote PC 


needs to access information on the application server. To provide secure communications, the 


information is sent over an IPSec tunnel using an IP-in-IP encapsulation. There are three 


components to the IP-in-IP encapsulation: 


m Outside header—Used to route the information through the network. The addresses used 


represent the two ends of the tunnel. The source address is the Hardware Client NIC card: 
172.26.26.1. The destination address is the Concentrator’s public interface: 192.168.1.5. 
These two addresses are used to route the traffic through the Internet. 


Inside header—The inside header represents the two end points of the conversation. In this 
case, a PC at the remote office is accessing a server on the corporate LAN. The source 
address is the Hardware Client virtual IP address: 10.0.1.12. The Concentrator or Dynamic 
Host Configuration Protocol (DHCP) server usually supplies this address to the Hardware 
Client. The Hardware Client translates the SOHO PC’s address, 192.168.10.2, to the virtual 
IP address, 10.0.1.12 port 10000 via PAT. This gives the client the appearance of being a 
resident on the private network. PAT hides the actual PC address from the outside world. 
The destination address is the application server on the customer’s private network: 
10.0.1.10. 


Encapsulating Security Protocol (ESP) header—To keep the payload private, the inner 
header and data payload is encrypted and encapsulated via an ESP header. The ESP header 
indicates to the receiver that the payload is IPSec-encapsulated data. At the central site, the 
Concentrator strips the outer header, decrypts the data, and forwards the packet according 
to the inside IP address. 
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Hardware Client—Physical 


Connections 
a aa, Cisco.com 


Hardware reset switch 
Power 


y 


( ‘ Internet 


Ga } \PN public IP VPN private IP — 
172.26.26.1 192.168.10.5 192.168.10.11 


Console port 
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The Hardware Client is equipped with a universal power factor correction, 100-240 VAC, 
external power supply. A power cord with the correct plug is supplied. When the Hardware 
Client arrives from the factory, plug it in and power it up. Connect the SOHO PC or local LAN 
to the Hardware Client’s private interface. Cable the Internet side of the network to the public 
interface of the Hardware Client. Plug a PC into the console port. The serial port needs to be 
configured for 9600 8N1. 
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Hardware Client—Configuration 


Options 
ey Cisco.com 


VPN 3002 
HARDWARE CLIENT MANAGER 
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When the Hardware Client physical hardware is connected, the administrator must gain access 
to the Hardware Client manager. The Hardware Client comes from the factory with a private 
interface IP address of 192.168.10.1. Hook up a PC to the private port and configure the PC’s 
TCP/IP address. To gain access to the Hardware Client, point the browser to the IP address of 
the private interface, http//192.168.10.1. Log in using admin/admin. No CLI intervention is 
required. 


However, if you would rather configure the Hardware Client via CLI or if you need to change 
the default address on the private LAN interface, you can use the CLI. The default serial port 
setting is 9600 8N1. 
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GUI 


a | Cisco.com 
‘ I VPN 3002 


Hardware Client Manager Logged in: admin 
Configuration | Administration | Monitoring 


ie 
Welcome to the VPN 3002 Hardware Client Manager. Toolbar 
In the left frame or the navigation bar above, click the function you want: 

© Configurstion -- to configure all features of this device 

¢ Administration ~- to control administrative functions on this device 

© Monitoring -- to view status, statistics, and logs on this device. 
The ber at the top right has: 

© Main — to retum to this screen. 

© Help ~-to get help for the current screen. 

© Support -- to access VPN 3002 Hardware Client support and documentation. 

© Logout to log out of this session and retum to the Manager login screen. M anager 


Under the location bar in the upper tight, these icons may appear. Click to: screen 


Save ball. save the active configuration and make it the boot configuration. 


. 
«Save Needed Ea). as above, indicating you have changed the active configuration. 
* Reset W- to temporarily reset statistics to zero 

e Restore -- to restore statistics from their reset values. 

. 


Cisco Systems 
Refresh @ .. to refresh statistics 
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The main window of the Hardware Client manager after logging into the device is made up of 
the following: 


m The top frame (Hardware Client Manager toolbar) provides quick access to manager 
functions, configuration, administration, and monitoring. 


m The left frame (table of contents) provides the table of contents to the Manager’s windows. 


m The main frame (Manager’s) displays the current Hardware Client Manager window. From 
here you can navigate the Manager using either the table of contents in the left frame or the 
toolbar at the top of the frame. Select a title on the left frame of the window and the 
Hardware Client will introduce the manager window for the selected title. 


m Under the location bar, the Save Needed icons may appear. When finished with a 
configuration window, click Apply. Apply allows the configuration to take effect 
immediately. Click Save Needed to save the changes to memory. If you reboot without 
saving, your configuration changes are lost. 


Copyright © 2005, Cisco Systems, Inc. Configure the Cisco VPN 3002 Hardware Client for Remote Access Using Pre-Shared Keys 10-9 


10-10 


Quick Configuration 
MMMM ~SSS*é«CSCO.com 


Configuration | 
lim 


Quick Configuration lets you quickly configure the VPN 3002 for basic connectivity. Use the Main Configuration menu to set advanced options. 
‘You can go through Quick Configuration multiple times. It consists of these steps. You can go through them sequentially, or use the menu bar above 


Set the system time, date and time zone. 
Configure the Ethemet interface to your Private Interface. To use LAN Extension mode, you must configure an IP address other than the default. 
Optionally upload an already existing configuration file 

Configure the Public Interface to a public network. 

Specify a method for assigning IP addresses 

Configure the IPSec tunneling protocol with group and user names and passwords and encryption options. 

Set the VPN 3002 to use either PAT or LAN Extension mode. 

Configure DNS. 

Configure static routes 

Change the admin password for security 

You're done! 


Click to start Quick Configuration 
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There are two ways to configure the Hardware Client: quick configuration and the main menu. 
The goal of quick configuration is to provide the minimal parameters needed for operation. 
Quick configuration guides you through the windows necessary to get a single tunnel up and 
running. Use the main menu to tune an application or configure features individually. The next 
windows take you through a sample Hardware Client remote access configuration example 
using quick configuration. You can access quick configuration from the Configuration>Quick 
window. 


Note Hardware Client quick configuration can be run multiple times. 
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System Information 
ae Cisco.com 


onfiguration | Quick | Time and Date 


nfig 


Set the time on your device. The correct time is very important, so that logging entries are accurate. 
The current time on this device is Monday, 18 February 2002 12:48:30. 
NewTime[i2_;37_;[a2_ [Febuary =]fis fave [(GMrus0gjesT =) 
Enable DST Support 
£ Click to go back without saving changes 
£ Click to save changes and continue 


Back Continue 
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There are ten menu selections under quick configuration. The selections can be viewed along 
the top of the window. The first selection is Time. This window enables the operator to set the 
time and date on the Hardware Client. The correct time is very important so that logging, 
certificate verification, and accounting entries are accurate. The window shows the current date 
and time on the device. The values shown in the New Time fields are the time on the browser 
PC, but any entries you make apply to the Hardware Client. Enter the year as a four-digit 
number. 


When you click Continue, the values are saved to the run time configuration, but not saved in 
Flash memory. If you remove power from the Hardware Client, the values are lost. 


When you click Done at the end of the quick configuration menu, the values are automatically 
saved to the flash memory. 
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Configuration Upload 
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Configuration | Quick | Upload Config 
Time Upload Config Interface 1 Interface 2 IPSec PAT _DNS Static Routes Admin Done 


Do you want to upload a configuration file? A configuration file already exists on the VPNN3002. 


Back! || Go back to the previous page 


¥2E)))| Uptoad the configuration file, and then reset the VPN3002 
NGI] Continue on with Quick Configuration 


Configuration | Quick | Upload Config 
Time Upload Config 


Please wait for the operation to finish. 


Type in the name of the config file on your workstation. 


Contig File [ 


Upload | the contig file 
Back | to the previous page. 
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The next window, Upload Config, enables you to upload a previously saved configuration file. 
Browse to the location of the file, and click Upload. The Hardware Client checks the file to 
make sure it is a VPN configuration file. Once the file has been uploaded, reboot the Hardware 
Client without saving the active configuration, and the uploaded configuration will be loaded as 
the new run time configuration. 
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Private IP Address Interface 


ae Cisco.com 


Ethernet 2 (public IP address) Ethernet 1 (private IP address) 
172.26.26.1 192.168.10.1 


You are modifying the interface you are using to connect to this device. If you make any changes, you will break the connection and you will have to restart 
from the login screen. 


TP Address 192. 168.10. 1f 255.255,255.0 
DHCP Server Disabled 


Do you want to configure the IP address of the Private Interface? 

© Yes 

© No 
Do you want to use the DHCP server on Interface 1 to provide addresses for the local LAN? 
© Yes, and configure the DHCP server parameters. 

© Yes, but leave the DHCP server parameters as is. 

© No, do not use the DHCP server to provide addresses. 

¥ Click to go back without making any changes 

Click to make changes and continue 


Back Continue 


The next window is Private Interface. The top of the window displays the current IP address 
and status of the DHCP server. In this case, the default private IP address is used, 192.168.10.1, 
and the DHCP server is disabled. 


The middle section of the window deals with the IP address of the private interface. For the 
question, “Do you want to configure the IP address of Interface | (Private)?” you can change 
the interface address by selecting Yes. Modifying the address breaks the management 
connection. You can accept the IP address by selecting No. The default IP address is 
192.168.10.1. 


The bottom section of the window prompts you for the DHCP server parameters. For the 
question “Do you want to use DHCP server on Interface | to provide addresses for the local 
LAN?”, you can select one of the following choices: 


m Yes, and configure the DHCP server parameters—Enables the Hardware Client to act as a 
DHCP server and enables you to change the DHCP address pool. 


m Yes, but leave the DHCP server parameters as is—Enables you to use the Hardware Client 
as a DHCP server without changing the default pool. If enabled, the default pool can be 


viewed at the top of the figure above (for example, DHCP Server Enabled [192.168.10.1- 
192.168.10.128]). 


m No, do not use the DHCP server to provide addresses—Disables the DHCP server on the 
Hardware Client. 
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Public IP Address Interface 


Default gateway 
172.26.26.100 


Cisco.com 


4 S > 
/ N 


| Internet ¢ ; emanates 
_ Ethernet 2 Ethernet 1 
: (public IP address) (private IP address) 


172.26.26.1 192.168.10.1 


System Name (a.k.a. hostname) may be required to he set if you use DHCP to obtain an address. 
System Name |sudent? 
How do you want to configure the IP address of the Public Interface? 
© Obtain an IP address from a DHCP server 
© Tee PPPoE to connect ta a public network 
PPPoE User Name 
PPPoE Password 
Verify PPPoE Password 
© Specify an IP address 
IP Address |172.26.26.1 
Subnet Mask |255.255,255.0 
Default Gateway |172.26.26.100 


£ Click to go back without saving any changes 
£ Click to save changes and continue 


Back | Continue 


The fourth window is used to define a system name for the Hardware Client and obtain an IP 
address for the public interface. There are three ways to configure the IP address for the public 
interface: get an address from a DHCP server, use Point-to-Point Tunneling Protocol (PPP) 
over Ethernet (PPPoE) to connect, or define a static IP address. The configuration options of 
the public interface IP address are as follows: 


= DHCP Client—The Hardware Client can act as a DHCP client. Select obtain an IP 
address from a DHCP server to receive an address from a DHCP server. 


m PPPoE Client—If you want to connect to your Internet provider using PPPoE, select use 
PPPoE to connect to a public network and then enter information in the following fields: 


— PPPoE User Name—Enter a valid PPPoE username. 
— PPPoE Password—Enter the PPPoE password for the username you entered above. 
— Verify PPPoE Password—Enter the PPPoE password again to verify it. 


m Static IP Address—Select specify an IP address to use a static IP Address, and enter the 
information in the following fields: 


— IP Address—Enter the IP address for this interface, using dotted decimal notation (for 
example, 172.26.26.1). Note that 0.0.0.0 is not allowed. 


— Subnet Mask—Enter the subnet mask for this interface using dotted decimal notation 
(for example, 255.255.255.0). The Manager automatically supplies a standard subnet 
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mask appropriate for the IP address you just entered. You can accept this entry or 
change it. Note that 0.0.0.0 is not allowed. 


— Default Gateway—Enter the IP address of the system to which the Hardware Client 
should route packets that are not explicitly routed. In other words, if the Hardware 
Client has no IP routing parameters that specify where to send a packet, it will send it 
to this gateway. This address must not be the same as the IP address configured on any 
Hardware Client private interface. 
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IPSec Protocol 
a ey Cisco.com 


N 


\ 


é Internet 
192.168.1.5 —, 


Group—training 
User—student1 


Enter the information needed to connect to the central-site VPN Concentrator server. 


Concentrator Remote Server [19216815 Enter remote server address/host name 
IPSec over TCP [- Check to enable IPSec over TCP 
IPSec over TCPPort[i0000 ~~ Enter IPSec over TCP port (1 - 65535). 
Use Certificate [~ Click to use the installed certificate. 
© Entire certificate chain 
@ Tdentity certificate only 
Name Password Verify 
Group [training — 


User [student a — Private network 
authentication 


Certificate Transmission Choose how to send the digital certificate to the server. 


£ Click to save changes and continue 


Continue 


The IPSec window enables you to configure the IPSec parameters, which allows the Hardware 
Client to connect to the Concentrator over a secure VPN tunnel. The IPSec fields are 
configured as follows: 


m= Remote Server field—Enter the IP address of the Concentrator to which this Hardware 
Client connects (for example, 192.168.1.5). 


m IPSec over TCP—Encapsulates encrypted data traffic within TCP packets. This feature 
enables the Hardware Client to operate in an environment in which standard Encapsulating 
Security Protocol (ESP, Protocol 50) or IKE (UDP 500) cannot function, or can function 
only with modification to existing firewall rules. IPSec over TCP encapsulates both the 
IKE and IPSec protocols within a TCP packet, and enables secure tunneling through both 
Network Address Translation (NAT) and PAT devices and firewalls. 


— IPSec over TCP—Enables IPSec connections using TCP encapsulation. This feature 
must also be enabled on the Concentrator to which this Hardware Client connects. 


— IPSec over TCP Port—Enter the IPSec over TCP port number. You can enter one port. 
The port that you configure on the Hardware Client must also be configured on the 
Concentrator to which this Hardware Client connects. 


m Use certificate field—Select the Use Certificate check box to use digital certificates for 
authentication. If you are using digital certificates, there is no need to enter a group name 
and group password. The Hardware Client checks certificates loaded in the Hardware 
Client. If no certificate is loaded, an error message opens after you click the Continue 
button. 
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™ Certificate Transmission field—If you configured authentication using digital certificates, 
choose the type of certificate transmission. 


— Entire certificate chatn—Sends the identity certificate and all issuing certificates to the 
peer. Issuing certificates include the root certificate and any subordinate CA 
certificates. 


— Identity certificate only—Sends only the identity certificate to the peer. 


m= Group Fields—If you are not using digital certificates, in the Group fields, enter a unique 
name and password for this group. This is the same group name and password that you 
configured for this Hardware Client on the central-site Concentrator (for example, training). 
If the Hardware Client group name and password matches the entries in the Concentrator 
database, the user gains entrance to the Concentrator. 


m= User field—In the User Name and Password field, enter a unique name and password for 
the Hardware Client user. This is the same username and password that you configured in 
the authentication server (for example, student1). If the Hardware Client username and 
password matches the entries in the authentication server database, the user gains entrance 
to the corporate network. 
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192.168.10.31 


192.168.10.32 


Configuration | Quick | PAT 


Because the IP Address of Interface 1 (Private) was not changed from the initial default value, you cannot disable PAT on the IPSec tunnel to the VPN Concentrator. 


£ Click to go back without making any changes 
LF Click to make changes and continue 


Back Continue 
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You use this window to configure this Hardware Client to use either Port Address Translation 
(PAT) or network extension mode. In the example within the figure, because the operator did 
not change the IP address of the private interface, the interface requires that PAT be enabled 
over the tunnel. 


Note You cannot disable PAT if you have not changed the IP address for the private interface. 
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DNS 


a aaa | Cisco.com 


DNS 
boston01 192.168.10.31 
Internet 


192.168.10.32 


Configuration | Quick | DNS 
Tim pload Config 


Configure the ISP's DNS server IP address. Enter 0.0.0.0 to not use DNS. 


DNS Server [0.0.0.0 
Domain 
Click to go back without making any changes 
a ig sny chang! 
¥ Click to make changes and continue 


Back Continue 
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This window enables you to specify a Domain Name System (DNS) server. This enables you to 
enter Internet hostnames (for example, boston01), rather than IP addresses for servers as you 
configure and manage the Hardware Client. While hostnames are easier to remember, using IP 
addresses avoids problems that might arise if the DNS server goes offline, gets congested, and 


so on. If you use a hostname to identify the central-site Concentrator, you must configure a 
DNS server. 
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Static Routes 
a a ey Cisco.com 


oS 192.168.10.31 


re Internet : 


~ 


192.168.1.5 192.168.10.32 


Static Routes 


This section lets you configure static routes for IP routing. 
Static Routes Actions 
Add a route to the routing table. 


Delete | a route trom the routng table 


Back _| to the previous section. 


Continue | to the next section. 


This section enables you to configure static routes for IP routing. The Hardware Client does not 
support Routing Information Protocol (RIP) or Open Shortest Path First (OSPF). A static route 
must be supplied. This window displays current static route as defined under the IPSec— 
remote server parameter. In the example in the figure, all Hardware Client traffic is routed to 
192.168.1.5, the Concentrator’s public interface. 


In this window, you can take the following possible actions: 

m Add—Click Add to add a route to the routing table. 

m Delete—Select a route in the Static Routers field, and click Delete to delete a route. 
= Back—Go to the previous quick configuration window. 


= Forward—Go to the next quick configuration window. 
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Admin Password 
aaa Cisco.com 


{Install SSL Cortificate 
VPN 3002 


HARDWARE CLIENT MANAGER 


Giseo Systems 


Cupyrsdd © 1992-2000 Cis. Systems, 2.0 


£ Click to go back without saving changes 
Lf Click to save changes and continue 


Back Continue 
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This window enables you to change the password for the administrator. For ease of use during 
startup, the default administrator password supplied with the Hardware Client is admin. 
Because the administrator has full access to all management and administration functions on the 
device, it is strongly recommended that you change this password to improve device security. 
The administrator parameters are as follows: 


m Password—Enter or edit the unique password for this administrator. The field displays only 
asterisks. The default password that Cisco supplies is the same as the username. It is 
strongly recommended that you change this password. 


m Verify—Re-enter the password to verify it. The field displays only asterisks. 


There is a reset password utility, which enables you to reset the password to the default. After 
you reboot the system and the diagnostic check is complete, a line of three dots (...) appears on 
the console. Clicking Control Break within three seconds after seeing the three dots displays a 
new menu that enables you to reset the system passwords back to the default. 
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Access Rights 


i a | Cisco.com 


Hardware 
Client 


Administration | Access Rights | Administrators 
This section presents administrator users. Any changes you make take effect immediately. 


Administrator admin Password 
Verify 

Administrator config Enabled 
Password 

Verify 

Administrator monitor Enabled 
Password 


Verify 


WATT 


Apply | Cancel 
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You can further configure all administrators under main menu in the Configuration>Access 
Rights>Administrators window. The Hardware Client has three levels of graphical user 
interface (GUI) access: admin, config, and monitor. Within these three levels, a user can do the 
following: 


m Administrator Admin—Can do everything 
m Administrator Config—Quick configuration and monitoring (by default it is disabled) 


m Administrator Monitor—Monitoring windows only (by default it is disabled) 


The Configuration>Access Rights>Administrators window enables the administrator to enable 
or disable access levels and change passwords. By default, the only enabled level is admin. 
Selecting the Enabled check box and entering a password can activate additional levels. 
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Launching the Client 
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py TN 


{ aan 192.168.10.31 
“a” 
_ Internet 


192.168.10.32 


07 August 2002 09:45:11) 
Reset @ Refresh® 
VPN Client Type: 3002-8E 
‘Serial Number:CAM01330453 
Bootcode Rev: Cisco Systems, Inc /VPN 3002 Hardware Client Version 3.0 Rel Feb 26 2001 10:39:17 
Software Rev: Cisco Systems, Inc /VPN 3002 Hardware Client Version 3.6 Beta_2 Jun 26 2002 14:01:01 DEBUG_MASK 


0:03:08 
Up Since:03/07/2002 09:42:03 
RAM Size: 16 MB 
——___— 


Disconnect Now Connect Now 


No Tunnel Established 


In the pictures below, select and click a module for status details. 
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In the figure, the Hardware Client mode is complete. It is time to launch the tunnel. By default 


in client mode, no tunnel is established. You must manually initiate the tunnel. There are two 


ways to do this: 


m Click Connect Now in the Monitoring>System Status window. 


m Sending traffic to the hardware client destined for the remote end. 


You can verify that the tunnel is established by trying to ping an interface on the remote 


Concentrator. The Hardware Client recognizes the remote-bound traffic and attempts to 


establish a tunnel. If a tunnel is established, it is viewable on this window. If the tunnel does not 


appear in the window, check the event log of the Hardware Client and the Concentrator. 
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Hardware Client—Monitoring System 


Status 
Ra MMMM ~SCO*~*#*#*#é«SCsco.com’ 


172.26.26.1 192.168.10.31 


af q 
. Internet 


— 


—— 
192.168.1.5<———— Tunnel —— 10.0.1.70 


Reset g Refresh®@ 
YPN Client Type: 3002-8E 
Serial Number:CAMO01330453 
Bootcode Rev: Cisco Systems, Inc/VPN 3002 Hardware Client Version 3.0 Rel Feb 26 2001 10:39:17 
Software Rev: Cisco Systems, Inc ‘VPN 3002 Hardware Client Version 3.6 Beta_2 Jun 26 2002 14:01:01 OFBUG_MASK 
0, NDEBUG off) 
Up For: 0:24:54 
Up Since:02/07/2002 09:42:02 
RAM Size: 16 MB 


Disennnect Now Cnnnert Naw 


Assigned IP Address: 10.0.1.70 
Tunnel] Established to: 192,168.15 
Duration: 0:00:47 

Tunnel Type: IPSec 


Security Assariatians: 


Type | Remote Address Encryption |Authentication Sese Octets || Packets | Packets 


Out | im | Out ome 


g Agressive Mode, | 


1208 1592 DH Group2 | 


IKE [192,168.15 DES/MDS Sie 
| 


[IPSec (192.168.1.5 3DES HMAC/MD5 256 0 
[IPSec |10.0.1.0/255.255.255.0| 3DES HMAC/MDS5 a 160 
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The Monitoring>System Status window on the Hardware Client enables the administrator to 
launch the tunnel, check the status of the tunnel and Hardware Client hardware. The top portion 
of the window displays the Hardware Client hardware information, such as software revision, 
RAM size, and up time information. The middle portion enables the administrator to connect 
and disconnect the tunnel by clicking the Connect Now and Disconnect Now buttons. Ifa 
tunnel is established, the bottom portion of the window displays tunnel information, such as the 
assigned IP address, the tunnel established, the duration time, and security associations (SAs). 


In the example within the figure, a tunnel was established to a Concentrator whose public 
interface address is 192.168.1.5. The virtual address assigned to the client by the Concentrator 
is 10.0.1.70. The tunnel has been up for 47 seconds. In the SA table, the encryption method is 
Triple Data Encryption Standard (3DES) while the authentication method is Message Digest 5 
(MDS). 


The session information is also available on the Concentrator by going to the 
Monitoring>Sessions window. 
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Concentrator—Monitor Session 
i Cisco.com 


10.0.1.10 aaa. 172.26.26.1 192.168.10.31 


X 


-_ Internet 192.168.10.32 


192.168.1.5¢——_ Tunnel —— 10.0.1.70 


Session Summary 


Active LAN. | Active Remote Active — estat Active| Peak ae Total 
to-LAN Access Management | Sctive | Concurrent sure | Cumulative 
i i | Sessions z Sessions Limit : 
Sessions Sessions Sessions | Sessions Sessions 


[0 1 1 [= 3 100 15 


LAN-to-LAN Sessions [Remote Access Sessions| Management Sessions ] 
| Connection Name | IP Address | Protocol | Encryption | Login Time | Duration | Bytes Tx | Bytes Rx 
[ No LAN-to-LAN Sessions 


Remote Access Sessions [LAN-to-LAN Sessions | Manageme ions ] 


Assigned IP Address Procol | LoginTime | Client Type | Bytes Tx 
? Assigned IP Address | ¢, Protocol cS Client Type | Bytes Tx 
Username Public IP Address Srow | rncryption | Duration Version | Bytes Rx 
100.170 fe IPSec Aug79:18:25 | VPN 3002 104072, 
172.26.261 aning | 3DES-168 0:03.06 3.6Beta_2 24896 


student! | 


Management Sessions [ LAN-to-LAN Sessions | Remote Access Sessions ] 


‘Administrator | IP Address | Protocol | Encryption Login Time | Duration — 
[admin {100.170 HTTP [None (Aug 07 08:21:06 0:00:26 
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The Monitoring>Sessions window enables the administrator to view session information. In the 
third portion of the window, Remote Access Sessions, you can view statistics for the Hardware 
Client-to-Concentrator tunnel. The following information is included: 


m Username—The username or login name for the session. 


m Public IP address—The public IP address of the client for this remote access session. This 
is also known as the outer IP address. 


m Assigned IP address—The private IP address assigned to the remote client for this session. 
This is also known as the “inner ”or virtual IP address. 


m= Group—tThe user’s group. 

m = Protocol—The protocol this session is using. 

= Encryption—The data encryption algorithm this session is using. 

m= Login Time—The date and time (MM DD HH:MM:SS) that the session logged in. 


m= Duration—The elapsed time (HH:MM:SS) between the session login time and the last 
window refresh. 


m Client Type—The client type of connected. 


m Version—The software version number (for example, 3.6.Rel) for connected clients. 
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m Bytes Transmitted and Received—tThe total number of bytes transmitted to and received 
from the remote peer by the Concentrator. 


Click the username, in this example the username is student3, to get more detailed information 
on the session. 
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Concentrator—Monitor Session 


Details 
aaa Cisco.com 


10.0.1.10 ,.!hCUC< SN 192.168.10.31 
.. Internet 192.168.10.32 


oe T | 172.26.26.1 
192.168.1.5 <——— T unne 10.0.1.70 


Public P Assigned IP | , ; ..| Bytes | Bytes 
Username : Se Pfetocol Encryption Login Time Duration | PTS | MRS 


student! 172.26.261 joo. 70 {P8ec bpes-168 AU807 0.0409 | 05840 31936 


log.18.25 


IKE Session 
Session ID |i —_|___ Encryption Algorithm [3DES-168 
‘Hashing Algorithm [MD5 ‘Diffie-Hellman Group [Group 2 (1024 bit) 
Authentication Mode [Pre-Shared Keys CAUTH) IKE Negotiation Mode |A garessive 
Rekey Time Interval 86400 seconds 


IPSec Session 
Remote Address |172.26.26.1 
Local Address 192,168.15 Encryption Algorithm |3DES-168 
Hashing Algorithm MD5 Tile Time [0:02:05 
Encapsulation Mode Tunnel Rekey Time Interval 28200 secon: ids 
Bytes Transmitted (400 


IPSec Session 
Remote Address (10.0.1.70 
Local Address |10,0.1.0/0.0.0.255 Encryption Algorithm 3DES-168 
Hashing Algorithm [MD5 Encapsulation Mode [Tunnel 
Rekey Time Interval (22800 seconds 
Bytes Received (31792 Bytes Transmitted |112043 
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The administrator can also monitor VPN-to-Concentrator sessions from the Concentrator. The 
Monitoring>Session>Details window enables the administrator to get more in-depth 
information about the session, such as the hashing algorithm, authentication mode, encryption 
algorithm, and Diffie-Hellman (DH) group. The top line is a repetition of the remote access 
session entry. Below the remote entry session, the window is divided into IKE and IPSec 
sessions. 


The first session is the IKE session. This session displays the details of the IKE tunnel 
establishment. It displays such details as hashing algorithm, encryption algorithm, 
authentication method, rekey interval, Diffie-Hellman group, and IKE negotiation mode. The 
next sessions detail the IPSec sessions. Displayed are the attributes of the IPSec session to 
include the local and remote IP address, hashing and encryption algorithms, encapsulation 
mode, rekey interval, and so on. 


In the figure above, the tunnel is established between the public interfaces of the Concentrator, 
192.168.1.5 and the Hardware Client, 172.26.26.1. When traffic flows, it flows between the 
central site LAN, 10.0.1.0, to a PAT address on the Hardware Client’s private network, 
10.0.1.70. The remote PC’s IP address is changed to 10.0.1.70 and given a UDP port number. 
The remote PC’s IP address is hidden from the outside. Hosts on the Hardware Client are not 
directly addressable from the central site. 
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Network Extension Mode 


Network extension 
mode 


192.168.10.12 


172.26.26.10 J, 192.168.10.13 


> 
\ 


. Internet 192.168.10.10 
192.168.1.5 = 


J, 192.168.20.12 
172.26.26.20 J, 192.168.20.13 


10.0.1.10 


192.168.20.10 


In network extension mode, all PCs on the Hardware Client are uniquely addressable via the 
tunnel. This enables MIS personnel at the central site to directly address devices behind the 
Hardware Client over the IPSec tunnel. 


To implement network extension mode, the Hardware Client must be reconfigured. 
Programming network extension mode is a three-step process. First, network extension mode 
must be enabled on the Concentrator. Next, the IP address of the Hardware Client’s private 
interface must be changed from the factory default. (If it is left in default, the network extension 
mode is disabled.). Lastly, network extension must be enabled on the Hardware Client. 
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Concentrator—Hardware Client Tab 
a Cisco.com 


192.168.10.31 
Internet 172.26.26.1 192.168.10.32 
192.168.10.10 


Configuration | User Management | Groups | Modify training 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter a new value to override base 
group values 


Require Interactive Hardware Client! Check to require the hardware client to be interactively authenticated at 
Authentication! each connection attempt. 


User Idle Timeout]|30) [7 [Enter the session idle timeout in minutes. Use 0 for no timeout. 


: (Check to allow Cisco IP Phones to bypass Individual User Authentication 
Cisco IF: Phone Bypass} [ F |ochind a hardware client, 
Tew INeiateck Excision Model FA r Check a allow hardware clients using Network Extension Mode to 
Apply Cancel 
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By default, a Hardware Client cannot automatically connect to a Concentrator. The 
administrator must allow remote Hardware Clients using network extension to connect to a 
Concentrator on a group-by-group basis. From the Concentrator, go to Configuration>User 
Management>Groups>Modify to enable network extension mode. Under the HW Client tab, 
select the Allow Network Extension Mode check box. The feature is disabled by default. 
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Quick Configuration—IP Address 


ey | Cisco.com 


10.0.1.10 


192.168.1.5 


» 


192.168.10.31 


172.26.26.1| 4, 192.168.10.32 
192.168.10.10 


. Internet 4 


You are modifying the interface you are using to connect to this device. IFyou make any changes, you will break the connection and you will have to restart 


from the login screen 


LP Address 192.16%.10,1/ 259.259.255.0 
DHCP Server Disabled 


‘Do you want to configure the IP address of the Private Interface? 


@ Yes 
© No 


Do you want to use the DHCP server on Interface 1 to provide addresses for the local LAN? 


© Yes, and configure the DHCP server pagan 
© Yes, but leave the DHCP server param| 
@ No, do not use the DHCP server to prd ? 


£ Click to go back without making any c 


¥ Click to make changes and ‘You are modifying the interface you are using to connect to this device. Ifyou make any changes, you will break the connection and you will have 
Saal rewuas to restart from the login screen 


IP Address [192.168.10.10 


Subnet Mask [255.255 .255.0 


¥ Click to go back without saving any changes 


Back 


£ Click to save changes and continue 


Continue 
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The next step in configuring network extension mode is to change the IP address of the private 
interface. Choose the Configuration>Quick>Private Interface window to reconfigure the IP 
address. Notice near the top of the window, the current IP address is 192.168.10.1, which is the 
default. When the GUI prompts you with the question, “Do you want to configure the IP 
address of the Private interface?” you have the following choices: 


m You can accept the default IP address. If you do this, you are locked into the client mode. 


m You can change the IP address. If you change the IP address of the private interface, you 
can choose between client or network extension modes (configured under the Quick 


Configuration>PAT window). In the figure, Yes because we want to use network extension 
mode is selected. Click Continue. 


A window opens and prompts you for the new IP address and subnet mask. Fill in the new 
values and click Continue. If you make changes, you will break the connection. Make the 
necessary changes to the gateway value of your PC and restart the GUI from the login window. 
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Quick Configuration—Network 
Extension Mode 


a Cisco.com 


a J, 192.168.10.31 
Internet 172.26.26.1| Fb 192.168.10.32 
192.168.1.5 “— 
192.168.10.10 


Do you want to use PAT on the IPSec tunnel to the VPN Concentrator? 
© Yes 
© No, use Network Extension mode 
F Click to go back without making any changes 
£ Click to make changes and continue 


Back Continue 


The last step is to configure the Hardware Client for network extension mode. In the 
Configuration>Quick>Public Interface, the address of the interface was changed. Use the 
Configuration>Quick>PAT window to enable either PAT or network extension modes. If you 
select Yes, you get PAT and client mode. If you select No, you opt for network extension 
mode. In this case, No was selected, which enables network extension mode. When the IPSec 
session is established, the data flows between the Concentrator and the private interface of the 
Hardware Client: 192.168.10.1.5 to 192.168.10.10. 
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Hardware Client—Monitor Status 


Cisco.com 


10.0.1.10 p 


yr OU 192.168.10.31 
_ Internet 172.26.26.1| ob 192.168.10.32 
192.168.1.5  — 


192.168.10.10 


——— Tunnel 


Reset Refresh@ 
YPN Client Type: 3002-8E. 
Serial Number:CAMO1330453 
Bootcode Rev: Cisco Systems, Inc VPN 3002 Hardware Client Version 3.0 Rel Feb 26 2001 10:39:17 
Software Rev: Cieco Syeteme, Inc /VPN 3002 Hardware Client Vercion 3.6 Beta_2 Jun 26 2002 14:01:01 DEBUG_MASK 


Up Since :03/07/2002 09:42:02 
RAM Size: 16 MB 


Disconnect Now Connect Now 


Tunnel Established to: 192.168.1 5 <{__—___ 
Duration: 0:00:22 

Tunnel Type: IPSec 

Security Associations: 


Other 


Type | Remote Address |Encryption |Authentication nad Ont eu Es | 


Out | 
9 Aggressive Mode, 
[DH Group2 


IKE /192.168.1.5 poEsaDs areas 


i 
1192 7] 
| 


{tPSec |192.168.1.5 { 3pEs | HMACA@MDS 0 
iPSec (10.0.1.0/255.2552550| 3DES | HMAC/MDS5 192 
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When the private IP address is changed and the network extension mode is enabled, the tunnel 
is automatically established. You can view the tunnel status from the Monitoring>System 
Status window on the Hardware Client. A tunnel was established between the Concentrator, 
192.168.1.5, and the Hardware Client, 192.168.10.10. The duration is the time the tunnel has 
been up. To update the window and its data, click Refresh. 


For SAs, the following information is available: 


m= IKE SA—tThe SA establishes secure communications between the Hardware Client and the 
Concentrator. 


m IPSec SA—From the public port on the Hardware Client to the public port of the 
Concentrator. 


m IPSec SA—There is one more SA for any data streams between PCs on the corporation’s 
private network. This last SA is only viewable if traffic is passing between the Hardware 
Client and the Concentrator. In the figure above, there is no data traffic. 


Note In Client mode, the Concentrator passes an assigned address to the Hardware Client during 
IPSec tunnel establishment. This address is the remote IP address. This assigned address 
is viewable from the Monitoring>System Status window. In Network Extension mode, the 
Hardware Client uses the private IP network address as the remote IP address. An assigned 
address is not applicable in this mode and is not present in the Monitoring>System Status 
window. 
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Concentrator—Monitor Session 


Cisco.com 


i, = 
A lhtemnet 192.168.10.32 
192.168.1.5 es 172.26.26.1 


192.168.10.10 


10.0.1.10 


Session Summary 


Active LAN- | Active Remote Active ‘Total Acti Peak Conn att Total 
to-LAN Access Management s Concurrent 5 ‘unt Cumulative 
. A A Sessions x Sessions Limit ; 
Sessions Sessions Sessions Sessions Sessions 


i | 1 1 | ae | 3 100 18 


LAN-to-LAN Sessions [Remote Access Sessions | Management Sessions ] 


Connection Name = IP Address | Protocol Encryption Login Time Duration Bytes Tx Bytes Rx 
No LAN-to-LAN Sessions 


Remote Access Sessions [ LAN-to-LAN Sessions | Management ns ] 


Assigned IP Address Gro Protocol Login Time Client Type Bytes Tx 
Public IP Address Sro“b | Encryption | Duration Version | Bytes Rx 
i 192.168.10.0 Z IPSec ‘Aug 79:28:52 | VPN 3002 39560 
172.26.261 ening | 3DES-168 O01:44 3.6Beta 2 12096 


| 


student! 


Management Sessions [LAN-to-LAN Sessions | Remote Access Sessions ] 


Administrator IPAddress | Protocol | Encryption | Login Time Duration 
admin 172.26.261 {HTTP None {Aug 07 08:30:28 0.00.07 
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It is also possible to view the session information from the Concentrator’s end of the tunnel. 


Choose the Monitoring>Sessions window to view the tunnel status. Under the Remote Access 


Sessions group window, the following IPSec tunnel information is available: 


User Name—The username or login name for the session. 

Public IP Address—The IP address of the public interface of the Hardware Client. 
Assigned IP Address—The private virtual IP address assigned to Hardware Client for this 
session. In Network Extension mode, the assigned IP address is the Hardware Client’s 
private network address, 192.168.10.0. 

Group—tThe group assigned to the Client. 

Protocol—The protocol this session is using. 

Encryption—The data encryption algorithm this session is using. 


Login Time—The date and time (MM DD HH:MM:5SS) that the session logged in. 


Duration—The elapsed time (HH:MM:SS) between the session login time and the last 
window refresh. 


Client Type—The type of client that is connected. 


Version—The software version number (for example, 3.6.Rel) for connected clients. 
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m Bytes Transmitted and Received—tThe total number of bytes transmitted to and received 
from the remote peer by the Concentrator. 


An administrator can receive more details on the sessions by selecting a specific username. 


10-34 Cisco Secure Virtual Private Networks 4.1 Copyright © 2005, Cisco Systems, Inc. 


Concentrator—Monitor Session Detail 


Cisco.com 


ee. 192.168.10.31 
eae: meetne 172.26.26.1| \fol192.168.10.32 
aa 192.168.10.10 


Public IP Assigned IP 
Address Address 


|Username Protocol [Encryption | Login Time [Duration oe Bee 


(Augo7 


Istudentl 17226261 192.168.10.0 IPSec BDES-168 a" 5) 


0:02:35 48448 «17848, 
IKE Sessions: 1 
IPSec Sessions: 2 
IKE Session 
Session ID |I Encryption Algorithm [3DES-168 
Hashing Algorithan [MD5 Diffie-Hellman Group (Group 2 (1024-bit) 
Authentication Mode [Pre-Shared Keys (AUTH) IKE Negotiation Mode [Aggressive 
Rekey Time Interval [26400 seconds 


IPSec Session 


‘Session ID [2 Remote Address |172.26.261 
Local Address /192.168.1.5 Encryption Algorithm 3DES-168 

Hashing Algoritlum [MD5 Tile Time 0:02:35 

Encapsulation Mode [Tunnel Rekey Time Interval [28200 seconds 


Bytes Received (0 Bytes Transmitted (0 


IPSec Session 
3 Remote Address 192.163.10.0/0.0.0.255 
10.0.1.0/0.0.0.255 Encryption Algorithm 3DES-168 
IMDS Encapsulation Mode Tunnel 
Rekey Time Interval [22200 seconds 
Bytes Received (17848 Bytes Transmitted [51803 
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The Monitoring>Session>Details window enables the administrator to view more in-depth 
information about the session, such as the hashing algorithm, authentication mode, encryption 
algorithm, and DH group. The top line is the remote access session entry from the previous 
window, Monitoring>Sessions> Remote Access Sessions. Below the remote entry session, the 
window is divided into IKE and IPSec sessions. 


The first session is the IKE session. This part displays the details of the IKE tunnel 
establishment. It displays such details as hashing algorithm, encryption algorithm, 
authentication method, rekey interval, DH group, and IKE negotiation mode. The next two 
sections detail the IPSec sessions. Displayed are the attributes of the IPSec session to include 
the local and remote IP address, hashing and encryption algorithms, encapsulation mode, Rekey 
interval, and so on. 


In the figure, the tunnel is established between the public interfaces of the Concentrator and the 
Hardware Client as documented under the first IPSec session. When traffic flows, it flows 
between any address on the central site LAN and hosts on the Hardware Client private network, 
192.168.10.10/0.0.0.255, as documented under the second IPSec session. In this case, any hosts 
on the Hardware Client are addressable from the central site. 
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Summary 


This topic summarizes what you learned in this lesson. 


Summary 
Re MMMM ~~S!S*«SCO.com 


° The Cisco VPN 3002 Hardware Client supports 
two modes: client and network extension. 


¢ Client mode will translate the PC IP address via 


PAT. All traffic from private networks appears as 
a single-source IP address. 


¢ In network extension mode, all PCs are uniquely 
addressable via the tunnel. 
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Lab Exercise—Configuring Cisco VPN 3002 
Hardware Client Remote Access 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 
Your task in this lab exercise is to install and configure the Cisco Virtual Private Network (VPN) 
3002 Hardware Client and configure the Cisco VPN 3000 Series Concentrator to enable VPN 
encrypted tunnels. Work with your lab exercise partner to complete the following tasks: 
m Reconfigure the student PC networking parameters. 


m Return the Cisco VPN 3002 Hardware Client to factory settings. 


m Configure the Cisco VPN 3002 Hardware Client using the VPN 3002 Hardware Client 
Manager. 


m Configure the Cisco VPN 3002 Hardware Client event monitoring. 

m Launch the Cisco VPN 3002 Hardware Client VPN tunnel. 

m Update the Cisco VPN 3002 Hardware Client system software. 

= Monitor the Cisco VPN 3000 Series Concentrator statistics. 

m Return the Cisco VPN 3002 Hardware Client to factory settings. 

™ Configure the Cisco VPN 3002 Hardware Client private interface. 

™ Configure the Cisco VPN 3002 Hardware Client for network extension mode. 
m Launch the Cisco VPN 3002 Hardware Client VPN tunnel. 


= Monitor the Cisco VPN 3000 Series Concentrator statistics. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


a ae, Cisco.com 


Hardware 
Client RBB Concentrator 
192.168.1PP.0 172.26.26.0 192.168.P.0 ¢ 10.0.P.0 — 


RTS 
Student PC 
192.168.1PP.2 


Scenario 


Your company wants you to implement a Cisco VPN using remotely located Hardware Clients 
terminating at centrally located Concentrators. You must configure both the Concentrator and 
the Hardware Client for remote access using both client mode and network extension mode. 


Task 1—Reconfigure the Student PC Networking Parameters 


Certain networking parameters must be reconfigured before your student PC will communicate 
with a Hardware Client. Use the following information to reconfigure your student PC 
networking parameters. 


(If you are not sure which IP addresses to use, ask your instructor.) 


m Primary IP address—192.168.1PP.2 
(where PP = two-digit pod number [for example, Pod | is 01]) 


m Default gateway IP address—192.168.1PP.1 
(where PP = two-digit pod number [for example, Pod | is 01]) 
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Task 2—Return the Cisco VPN 3002 Hardware Client to Factory 
Settings 
The instructor will provide you with the procedures for access to the Hardware Client console 
port, as this will vary according to your lab connectivity. After you access the Hardware Client 


console port, the Hardware Client login prompt will appear. Complete the following steps to 
return the Hardware Client to the factory settings: 


Note This procedure assumes that Windows 2000 is already running on the student PC. 


Step 1 Log in to the Hardware Client command line interface (CLI) using the administrator account: 
Login: admin 
Password: admin 

Step 2 Complete the following sub-steps starting from the CLI top-level menu: 


1. Access the Administration menu: 
Main -> 2 
2. Access the System Reboot menu: 


Admin -> 2 


3. Access the Schedule Reboot menu: 


Admin -> 2 


4. Select Reboot ignoring the Configuration file: 


Admin -> 3 


5. Select Reboot Now: 


Admin -> 2 
It takes several moments for the Hardware Client to reboot. You are automatically logged out of 
the unit. 

Step 3 Log in to the Hardware Client using the administrator account: 


Login: admin 
Password: admin 


Step 4 Complete the following sub-steps, starting from the CLI top-level menu. Ignore the recurring “IP 
interface 2 was unable to acquire an address via DHCP” message and complete the following 
steps: 


1. Select the Configuration menu: 


Main -> 1 


2. Select the Interface Configuration menu: 


Config -> 2 


3. Select the Configure the Private Interface menu: 


Interfaces -> 1 


Copyright © 2005, Cisco Systems, Inc. Configure the Cisco VPN 3002 Hardware Client for Remote Access Using Pre-Shared Keys Lab 10-3 


4. Select interface setting (Disable or Static IP): 


Private Interface -> 1 


5. Select Enable using Static IP Addressing: 


Private Interface -> 2 


6. Enter the Cisco VPN 3002 Hardware Client private interface IP address: 


Private Interface -> [192.168.10.1] 192.168.1PP.1 
(where PP = two-digit pod number [for example, Pod | is 01]) 


Several messages appear, indicating the condition of the Ethernet #1 (private) interface. 
Disregard these messages. 


7. Enter the Hardware Client private interface mask: 


Enter Subnet Mask -> [255.255.255.0] Enter 


8. Return to the top-level menu: 


Ethernet Interface 1 ->h 


9. Save changes to the configuration file: 


Main -> 4 


10. Exit the CLI: 


Main -> 6 


Step 5 Close the CLI session. 


Task 3—Configure the Cisco VPN 3002 Hardware Client Using the VPN 
3002 Hardware Client Manager 


Complete the following steps to finish the Hardware Client configuration using the Hardware 
Client Manager. 


Step 1 Launch Internet Explorer by double-clicking the Internet Explorer desktop icon. 


Step 2 Enter a Hardware Client private interface IP address in the Internet Explorer Address field: 
192.168.1PP.1. 
(where PP = two-digit pod number [for example, Pod | is 01]) 


Step 3 Log in to the Hardware Client using the administrator account: 


Login: admin 
Password: admin 


The username (login) and password are always case sensitive. 


Step 4 Inthe main window, click the click here to start Quick Configuration hyperlink. The 
Configuration>Quick>Time and Date window opens. 


Step 5 Complete the following sub-steps from the Configuration>Quick>Time and Date window: 
1. View the contents of the window. 
2. Click Continue. 


Step 6 Complete the following sub-steps from the Configuration>Quick>Upload Config window: 
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1. 


2 


View the contents of the window. 


Click No. 


Step 7 Complete the following sub-steps from the Configuration>Quick>Private Interface window: 


1. 


3. 


Select No when you are asked if you wish to configure the IP address of the private 
interface. 


Select No, do not use DHCP server to provide addresses when you are asked if you want 
to use DHCP server on the private interface. 


Click Continue. 


Step 8 Complete the following sub-steps from the Configuration>Quick>Public Interface window: 


1. 


5: 


6. 


Enter the system name: studentP. 
(where P = pod number) 


Select Specify an IP address. 


Enter a Hardware Client public interface IP address in the IP Address field: 172.26.26.1PP. 
(where PP = two-digit pod number [for example, Pod | is 01]) 


Enter a Hardware Client public interface subnet mask in the Subnet Mask field: 
255.255.255.0. 


Enter a backbone router IP address in the default gateway field: 172.26.26.150. 


Click Continue. 


Step 9 Complete the following sub-steps from the Configuration>Quick>IPSec window: 


1. 


In the Remote Server IP Address field, enter the Concentrator’s public interface IP address: 
192.168.P.5. 
(where P = pod number) 


Verify that Use Certificate is deselected. 
Enter the group name: training. 

Enter the group password: training. 
Verify the group password: training. 


Enter the username: studentP. 
(where P = pod number) 


Enter the user password: studentP. 
(where P = pod number) 


Verify the user password: studentP. 
(where P = pod number) 


Click Continue. It may take a few moments to complete. 
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Step 10 Complete the following sub-steps from the Configuration>Quick>Port Address Translation 
(PAT) window: 


1. View the contents of the window. Answer the following question: 


Ql) ~~ What is the default mode, PAT or Network Extension? 


A) 


2. Click Continue. 
Step 11 Complete the following sub-steps from the Configuration>Quick>DNS window: 
1. View the contents of the window. 
2. Click Continue. 
Step 12 Complete the following sub-steps from the Configuration>Quick>Static Routes window: 
1. View the contents of the window. 
2. Click Continue. 
Step 13 Complete the following sub-steps from the Configuration>Quick>Admin Password window: 
1. View the contents of the window. 
2. Click Continue. 


Step 14 Do not log out of the Hardware Client Manager window, and do not close Internet Explorer. 


Task 4—Configure the Cisco VPN 3002 Hardware Client Event 
Monitoring 


Complete the following steps to configure event monitoring on the Hardware Client: 


Step1 From the Configuration menu tree, drill down to System>Events>Classes. 

Step 2 Click Add. The Classes>Add window opens. 

Step 3 Enable logging for the AUTHDBG event class by completing the following sub-steps: 
1. Select class name: AUTHDBG. 


2. Set the Severity to Log: 1-9. 
3. Leave all other fields at their default values. 
4. Click Add. 


Step 4 Enable logging for the IKEDBG event class by completing the following sub-steps: 
1. Click Add. 


2. Select class name: IKEDBG. 


3. Set the Severity to Log: 1-9. 
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Step 5 


Step 6 
Step 7 
Step 8 
Step 9 
Step 10 


4. Leave all other fields at their default values. 

5. Click Add. 

Enable logging for the IPSECDBG event class by completing the following sub-steps: 
1. Click Add. 

2. Select class name: IPSECDBG. 

3. Set the Severity to Log: 1-9. 

4. Leave all other fields at their default values. 

5. Click Add. 


Save the configuration. 

From the Monitoring menu tree, drill down to Filterable Event Log. 
Click Clear Log. 

Set Events/page to ALL. 


Do not logout of the Hardware Client. Do not close Internet Explorer. 


Task 5—Launch the Cisco VPN 3002 Hardware Client VPN Tunnel 


Step 1 


Step 2 


Step 3 


Step 4 


Complete the following steps to launch and monitor the Hardware Client VPN tunnel: 


From the Monitoring menu tree, drill down to System Status. A VPN tunnel should already be 
established to the Concentrator. If a VPN tunnel is not established, click Connect Now. Answer 
the following questions: 


Q2) | Howcan you tell if the tunnel is established? 


A) 


Q3) | How many Internet Key Exchange (IKE) sessions were established? 


A) 


Q4) How many IPSec sessions were established? 


A) 


Ping a Concentrator private interface IP address of 10.0.P.5 using the Administration menu tree 
ping function. 


(where P = pod number) 
Return to the System Status window and click Refresh. Answer the following question: 


Q5) — Which IPSec tunnel was used to transmit the pings? 


A) 


Do not log out of the Hardware Client. Do not close Internet Explorer. 
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Task 6—Update the Cisco VPN 3002 Hardware Client System Software 


Step 1 


Step 2 
Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


Step 8 
Step 9 
Step 10 
Step 11 


Step 12 


Step 13 


Step 14 


Complete the following steps to update the Hardware Client system software: 


From the Administration menu tree, drill down to Software Update. The Administration> 
Software Update window opens. 


Click Browse. The Choose File window opens. 
Open the desktop TFTP folder. 


Select the Cisco VPN 3002 Software file, vpn3002-4.0.1.Rel-k9.bin. (If you are unsure which 
software file to select, ask your instructor for help.) 


Click Open. 


Click Upload. The Software Update Progress window opens, followed by the Software Update 
Success window. Wait until the software update is complete before continuing. 


Select Click here to go to the reboot options. The Administration>System Reboot window 
opens. 


Select the action to take: Reboot. 

Select the type of reboot to perform: Reboot without saving active configuration. 
Select the time to perform the reboot or shutdown: Now. 

Click Apply and wait approximately two minutes for the reboot to complete. 

Log in to the Hardware Client Manager using the administrator account: 


Login: admin 
Password: admin 


From the Monitoring menu tree, drill down to System Status and answer the following question: 


Q6) What is the current software revision? 


A) 


Log out of the Hardware Client Manager. 


Task 7—Monitor the Cisco VPN 3000 Series Concentrator Statistics 


Step 1 


Step 2 


Step 3 


Complete the following steps to monitor Concentrator statistics: 


Enter a Concentrator’s public interface IP address in the Internet Explorer Address field: 
192.168.P.5 (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 
Concentrator Series Manager. 


Log in to the Concentrator using the administrator account: 
Login: admin 
Password: admin 


From the Monitoring menu tree, drill down to Routing Table. Answer the following question: 


Q7) — Which networks are visible? 
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A) 


Step 4 From the Monitoring menu tree, drill down to Sessions, view the Remote Access Sessions 
window, and complete the following: 


1. User name: 


2. Assigned IP address: 


3. Public IP address: 


4. Group: 


5. Protocol: 


6. Encryption: 


7. Login time: 


8. Duration: 


9. Client Type: 


10. Version: 


Step 5 Select studentP (where P = pod number). More information is displayed. 


Step 6 View the IKE Session fields and answer the following questions: 
Q8) — The encryption algorithm is type? 


A) 


Q9) The hashing algorithm is type? 


A) 
Q10) The Diffie-Hellman group is? 


A) 


Ql1)_ The IKE negotiation mode is? 


A) 
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Step 7 


Step 8 


Step 9 


Step 10 


Step 11 


Step 12 
Step 13 
Step 14 


Step 15 


View the IPSec Session fields and answer the following questions: 
Q12) The IPSec session ID 2 was established between what two addresses? 


A) Local address: 


B) Remote address: 


Q13) What is the encryption algorithm type? 


A) 


Q14)_ What is the hashing algorithm type? 


A) 


Q1I5) The IPSec session ID 3 was established between what two addresses? 


A) Local address: 


B) Remote address: 


Q16) Ping your student PC. Was it successful? 


A) 


From the Configuration menu tree, drill down to User Management>Groups. The 
Configuration>User Management>Groups window opens. 


Choose training from the Current Groups list and click Modify Group. The Modify Training 
window opens. 


Select the HW Client tab. 


Select Allow Network Extension Mode. If you do not select Allow Network Extension mode, 
the Concentrator will not permit the Hardware Client to connect via network extension mode. 
This will result in the next task of the lab exercise not working correctly. 


Click Apply. 
Save the changes. 
Log out of the Concentrator. 


Close Internet Explorer. 


Task 8—Return the Cisco VPN 3002 Hardware Client to Factory 
Settings 


Lab 10-10 


The instructor will provide you with the procedures for access to the Hardware Client console 
port, as this will vary according to your lab connectivity. After you access the Hardware Client 
console port, the Hardware Client login prompt will appear. Complete the following steps to 
return the Hardware Client to the factory settings: 
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Step 1 


Step 2 


Step 3 


Log in to the Hardware Client CLI using the administrator account: 
Login: admin 

Password: admin 

Complete the following sub-steps starting from the CLI top-level menu: 


1. Access the Administration menu: 


Main -> 2 


2. Access the System Reboot menu: 


Admin -> 2 


3. Access the Schedule Reboot menu: 


Admin -> 2 


4. Select Reboot ignoring the Configuration file: 


Admin -> 3 


5. Select Reboot Now: 


Admin -> 2 
It takes several moments for the Hardware Client to reboot. You are automatically logged out of 
the unit. 


Leave the CLI session open. Ignore the recurring IP interface 2 was unable to acquire an address 
via DHCP message. 


Task 9—Configure the Cisco VPN 3002 Hardware Client Private 
Interface 


Step 1 


Step 2 


You must first change the private interface IP address to use the Hardware Client network 
extension mode. If you accept the factory default IP address, 192.168.10.1, you will never be 
able to select the network extension mode. Complete the following steps to alter the IP address 
of the Hardware Client private interface using the CLI: 


Log in to the Hardware Client CLI using the administrator account: 
Login: admin 
Password: admin 


Complete the following sub-steps, starting from the CLI top-level menu. Ignore the recurring IP 
interface 2 was unable to acquire an address via DHCP message and complete all of the 
following steps: 


1. Select the Configuration menu: 
Main -> 1 
2. Select the Interface Configuration menu: 


Config -> 2 


3. Select the Configure the Private Interface menu: 


Interfaces -> 1 


4. Select the interface setting (Disable or Static IP): 
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Step 3 


Private Interface -> 1 
5. Select Enable using Static IP Addressing: 
Private Interface -> 2 


6. Enter the Hardware Client private interface (network extension mode) IP address: 


Private Interface -> [0.0.0.0] 192.168.1PP.1 


(where PP = two-digit pod number [for example, Pod | is 01]) 
Several messages appear, indicating the condition of the Ethernet #1 (private) interface. 


7. Enter the Hardware Client private interface mask: 


Enter Subnet Mask -> [255.255.255.0] Enter 


8. Return to the top-level menu: 


Ethernet Interface 1 ->h 


9. Save changes to the configuration file: 


Main -> 4 


10. Exit the CLI: 


Main -> 6 


Close the session. 


Task 10—Configure the Cisco VPN 3002 Hardware Client for Network 
Extension Mode 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Lab 10-12 


Complete the following steps to finish the Hardware Client network extension mode 
configuration using the Hardware Client Manager: 


Launch Internet Explorer by double-clicking the desktop icon. 


Enter a Hardware Client private interface (network extension mode) IP address in the Internet 
Explorer Address field: 192.168.1PP.1. 


(where PP = two-digit pod number [for example, Pod | is 01]) 
Log in to the Hardware Client using the administrator account: 
Login: admin 

Password: admin 


The username (login) and password are always case sensitive. 

In the main window, click the click here to start Quick Configuration hyperlink. 
Complete the following sub-steps from the Configuration>Quick>Time and Date window: 
1. View the contents of the window. 

2. Click Continue. 

Complete the following sub-steps from the Configuration>Quick>Upload Config window: 


1. View the contents of the window. 
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2. Select No, continue on with quick configuration. 
Step 7 Complete the following sub-steps from the Configuration>Quick>Private Interface window: 


1. Select No when you are asked if you wish to configure the IP address of the private 
interface. 


2. Select No, do not use DHCP server to provide addresses when you are asked if you want 
to use the DHCP server on the private interface. 


3. Click Continue. 


Step 8 Complete the following sub-steps from the Configuration>Quick>Public Interface window: 


1. Enter the system name: studentP. 
(where P = pod number) 


2. Select Specify an IP address. 


3. Enter a Hardware Client public interface IP address of 172.26.26.1PP. 
(where PP = two-digit pod number [for example, Pod | is 01]) 


4. Enter a Hardware Client public interface subnet mask of 255.255.255.0. 
5. Enter a backbone router IP address of 172.26.26.150 in the Default Gateway field. 
6. Click Continue. 


Step 9 Complete the following sub-steps from the Configuration>Quick>IPSec window: 


1. Inthe Remote Server IP Address field, enter the Concentrator’s public interface IP address: 
192.168.P.5. 
(where P = pod number) 


2. Verify that Use Certificate is deselected. 
3. Enter the group name: training. 

4. Enter the group password: training. 

5. Verify the group password: training. 


6. Enter the username: studentP. 
(where P = pod number) 


7. Enter the user password: studentP. 
(where P = pod number) 


8. Verify the user password: studentP. 
(where P = pod number) 


9. Click Continue. It may take a few moments to complete. 
Step 10 Complete the following sub-steps from the Configuration>Quick>PAT window: 


1. Select No, use Network Extension Mode. 
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2. Click Continue. 


Step 11 Complete the following sub-steps from the Configuration>Quick>DNS window: 


1. View the contents of the window. 


2. Click Continue. 


Step 12 Complete the following sub-steps from the Configuration>Quick>Static Routes window: 


1. View the contents of the window. 


2. Click Continue. 


Step 13 Complete the following sub-steps from the Configuration>Quick>Admin Password window: 


1. View the contents of the window. 


2. Click Continue. 


Step 14 Do not log out of the Hardware Client Manager window, and do not close Internet Explorer. 


Task 11—Launch the Cisco VPN 3002 Hardware Client VPN Tunnel 


Complete the following steps to launch and monitor the Hardware Client VPN tunnels: 


Step 1 Return to the Hardware Client Manager Internet Explorer window. 


Step 2 From the Monitoring menu tree, drill down to System Status. A VPN tunnel should already be 
established to the Concentrator. If not, click Connect now. Answer the following questions: 


Q17) 


Q18) 


Q19) 


Q20) 


Q21) 


Q22) 


Q23) 


How can you tell if the VPN tunnel is established? 


A) 


Which IKE encryption type is used? 


A) 


Which IKE authentication type is used? 


A) 


Which IPSec encryption type is used? 


A) 


Which IPSec authentication type is used? 


A) 


Under other, which IKE mode is used? 


A) 


Which Diffie-Hellman group is used? 


A) 
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Step 3 


Log out of the Hardware Client Manager. 


Task 12—Monitor the Cisco VPN 3000 Series Concentrator Statistics 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Complete the following steps to monitor the Concentrator statistics: 


Enter a Concentrator private interface IP address of 192.168.P.5 in the Internet Explorer Address 
field (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 Concentrator 
Series Manager. 


Log in to the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 


Login: admin 
Password: admin 


From the Monitoring menu tree, drill down to Routing Table. Answer the following question: 
Q24) Which networks are visible? 


A) 


From the Monitoring menu tree, drill down to Sessions. 


In the Remote Access Sessions window, select studentP (where P = pod number). More 
information is displayed. 


View the Session fields and answer the following questions: 


Q25) How many sessions are displayed? 


A) 


Q26) The IPSec session ID 2 supports a session between what two public interfaces? 


A) Local address: 


B) Remote address: 


Q27) The IPSec session ID 3 supports a session between what two addresses? 


A) Local address: 


B) Remote address: 


Q28) What is the difference between Client and Network Extension mode IPSec session ID 3? 
(refer to Task 9, Step 7 for Client mode IPSec session information) 


A) In Client mode, the session is between the Concentrator’s private and the 
Hardware Clients: 


B) In Network Extension mode, the session is between the Concentrator’s private 
and the Hardware Clients: 


Q29) Ping your student PC. Was it successful? 
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A) 


Step 7 Log out of the Concentrator. 


Step 8 Close any open Internet Explorer sessions. 
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Configure the Cisco Virtual 


Private Network 3002 Hardware 


Client for Unit and User 
Authentication 


Overview 


This lesson includes the following topics: 


Objectives 

Overview of the Hardware Client interactive unit and user authentication features 
Configuring the Hardware Client interactive unit authentication feature 
Configuring the Hardware Client user authentication feature 

Monitoring the Hardware Client user statistics 

Summary 


Lab exercise 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
Re MMMM ~~SS!S*S*«SCO.com 


Upon completion of this lesson, you will be 
able to perform the following tasks: 


¢ Describe the Hardware Client interactive unit and user 
authentication feature. 


° Configure the Hardware Client for interactive unit 
authentication. 


¢ Configure the Hardware Client for user authentication. 
* Monitor the Hardware Client user statistics. 
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Overview of the Hardware Client Interactive Unit 
and User Authentication Features 


This topic presents an overview of the Cisco Virtual Private Network (VPN) 3002 Hardware 
Client interactive unit and user authentication feature. 


Hardware Client Default Unit 


Authentication 
a aaa | Cisco.com 


Unit 
authentication 


ae Internet 
Authentication S Hardware 


10.10.10.200 — Client 


The Hardware Client allows up to 253 devices to be logged in behind it. Unlike the Cisco VPN 
Software Client, the Hardware Client, using the default unit authentication, saves the username 
and password permanently. During tunnel establishment, the Hardware Client automatically 
forwards the authentication information to the central site. When the tunnel is established, 
anyone can gain access to the corporate network. No remote site user intervention is required. 
Unfortunately, this can be viewed as a security weakness. This prevents administrators from 
requiring a Hardware Client user to enter a password before gaining access to the central site 
network. This is the default method used to authenticate the unit. 
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Hardware Client Authentication 
Options 


Cisco.com 


Interactive unit 
authentication Hardware 


Client 


Internet 


Authentication 
server 


— 


User 
authentication 


The administrator has three authentication options: 


m Unit authentication—The Hardware Client stores the username and password and forwards 
them automatically to the central site when the tunnel is established. This is the default. 


m Interactive unit authentication—The user password is no longer stored in memory on the 
Hardware Client. When launching a tunnel, a user behind the Hardware Client must supply 
the username and password each time a tunnel is established. When the tunnel is established, 
anyone on the Hardware Client private LAN can gain access to the corporate network. 


m= User authentication—The first time users attempt to gain access to corporate networks over 


the tunnels, they are prompted for their authentication credentials. User authentication 
addresses unauthorized user access. 
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Configuring the Hardware Client Interactive Unit 
Authentication Feature 


This topic presents an overview of how to configure the Hardware Client interactive unit 
authentication feature. 


Interactive Unit Authentication— 
Concentrator Configuration 


Cisco.com 


Hardware 


eo Client 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter a 
lnew value to override base group values. 


Hardware Client Parameters 
Attribute Value Inherit?| Description 


Require Interactive Hardware Check to require the hardware cent to be interactively 
——- Client Authentication, authenticated at each connection attempt. 


Require Individual User] — Check to require users behind a hardware client to be 
Authentication| authenticated 


Enter the session idle timeout in minutes. Use 0 for no 
timeout. 

Check to allow Cisco IP Phones to bypass Individual User} 
Authentication behind a hardware client. 

Check to allow LEAP packets from Cisco wireless access 
points to bypass Individual User Authentication. 

Check to allow hardware clients using Network Extension 
[Mode to connect. 


User Idle Timeout 


Cisco IP Phone Bypass 


LEAP Bypass 


Allow Network Extension Mode’ 


Apply _| Cancel 
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The interactive unit authentication feature is enabled and disabled on the Cisco VPN 
Concentrator. You can do this by selecting or deselecting the Require Interactive Hardware 
Client Authentication check box within the Configuration>User Management>Groups>HW 
Client tab: 


m Ifselected, the Hardware Client does not save the user password. A remote user must supply 
the username and password before the tunnel is established. 


m If deselected, the Hardware Client supplies the username and password from memory when 
the tunnel is established. This is the default setting. 


Note There is a check box labeled Allow Password Storage on Client within the Mode Config tab. 
This check box enables and disables password storage on the software client only. 
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Interactive Unit Authentication— 


Hardware Client Configu 


ration 


i ae ee | Cisco.com 


Internet 


Configuration | Quick | IPSec 
Time Ipload Confi 


Hardware 
Client 


Enter the information needed to connect to the central-site VPIN Concentrator server. 


Remote Server |192.168.1.5 
IPSec over TCP [— 

IPSec over TCP Port |10000 
Use Certificate [~ 


Enter remote server addressfhost name. 
Check to enable IPSec over TCP. 
Enter IPSec over TCP port (1 - 65535). 
Click to use the installed certificate. 
Password Verify 


Group |training 


User [student! 


¥ Click to go back without saving changes 
£ Click to save changes and continue 


[Back | Continue 
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The interactive unit authentication feature is enabled and disabled from the central site 


Concentrator. This information is communicated to the Hardware Client in mode configuration 
messages each time the tunnel is established. When the Hardware Client is first turned on 
without an existing configuration file, the GUI enables the user to enter a username and 


password as part of the quick configuration process. This initial username and password is used 
the first time a tunnel is established to the central site Concentrator as shown in the figure. If the 


Concentrator enables the interactive unit authentication feature during the tunnel negotiation, the 


Hardware Client removes the password from local memory and configuration files. Subsequent 


tunnel establishment will require the user to enter a password manually. 
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Connection Methods 


Cisco.com 


VPN 3002 
HARDWARE CLIENT MANAGER 


Reset Y Refresh@ 
|VPNN Client Type: 3002-8E 
Berial Number:CAM01481749 
[Bootcode Rev: Cisco Systems, Inc./VPN 3002 Hardware Client Version 3.0.Rel Feb 26 2001 10:39:17 
Software Rev: Cisco Systems, Inc. /VPN 3002 Hardware Client Version 4.0.1.Rel May 06 2003 12:46:38 
|Up For: 26:57:21 
[Up Since:06/30/2003 10:47:24 
[RAM Size: 16 MB (Memory Status: Green) 


Disconnect Now Connect Now 


INo Tunnel Established http://192, 168.10. 10/connstatus.htmPurl=http://10.0.1,5, << 


VPN 3002 Connection Status 


Connect Now VPN 3002 is disconnected. 


Individual User Authentication 
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When the Hardware Client interactive unit authentication feature is enabled on the Concentrator, 
a username and password must be supplied to the Hardware Client before a tunnel can be 
established. There are three methods in which to access the username password prompt: 

m™ Connect via the Hardware Client manager. 


= Connect via the System Status window. 


m Connect via the redirect message. 
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Method 1—Connect via the Hardware 
Client Manager 


Cisco.com 


VPN 3002 
HARDWARE CLIENT MANAGER 


"| VPN 3002 Connection Status 
Connect Now: VPN 3002 is disconnected. 


Individual User Anti 

Individual User Authentical] VPN 3002 Interactive Authentication 
Enter the following information needed to connect the VPIN 3002 to the remote network Please wait for the operation to complete. 
Enter Username and Password. 


‘Username [student 


Password [>] 
Cancel VPN 3002 is connected. 


Since 10/04/2001 15:25:39 (for 0:01:03 hhimm:ss) 


VPN 3002 Connection Status 


Individual User Authentication 
Individual User Authentication is disabled. You do not need to log in to access to the remote network 
Go back to the VPN 3002 administrati page. 
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The first method for accessing the username and password is through the Hardware Client 
manager. There are three steps in this process: 


Step1 Click the Connection/Login link in the manager window to start the login process. The 
Connection/Login Status window opens. 


Step 2 The Connection/Login Status window displays the current status of the Hardware Client tunnel. 
The Hardware Client is disconnected message indicates that the tunnel is currently down. To 
continue the process, click Connect Now. The Hardware Client interactive authentication 
window opens. 


Step 3 In the Hardware Client interactive authentication window, enter a username password in the 
corresponding fields, and click Connect. Clicking Connect initiates Internet Key Exchange 
(IKE) tunnel negotiation, while clicking Cancel sends the user back to the Hardware Client 
interactive authentication. If interactive unit authentication is disabled, clicking Connect 
immediately establishes a tunnel to the central site network. 


If tunnel negotiation is successful, the Hardware Client is connected message is returned. If 
tunnel negotiations fail, a message is posted and the user is sent back to the same page to re-enter 
a new username and password combination. 


Note If the remote host tears down the tunnel or if the system reboots, the Hardware Client must be 
authenticated again before the tunnel can be re-established. 
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Method 2—Connect via the System 
Status Window 


Cisco.com 


VPN Client Type: 3002-8E 

Serial Number:C.4M01481749 

[Bootcode Rev: Cisco Systems, Inc./VPN 3002 Hardware Client Version 3.0.Rel Feb 26 2001 10:39:17 
Software Rev: Cisco Systems, Inc./VPN 3002 Hardware Client Version 4.0.1. Rel May 06 2003 12:46:38 
[Up For: 26:57:21 

[Up Since:06/30/2003 10:47:24 

IRAM Size: 16 MB (Memory Status: Green) 


Disconnect Now | Connect Now | 


INo Tunnel Established 


VPN 3002 Interactive Authentication 


Reset # Refresh@® 


Enter the following information needed to connect the VPN 3002 to the remote nctwork. Please wait for the 


operation to complete. 


Enter Username and Password. 


Username |student! 


Password [=| 
Cancel 
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Another way to access the login prompt is from the Hardware Client Manager 


Monitoring>System Status window: 


Step 1 Determine if the tunnel is established. 


Step 2  Ifno tunnel is established, click Connect Now to access the username and password prompts. 


Step 3. When a username and password is provided, click Connect to establish the tunnel. Clicking 


Connect initiates the IKE tunnel negotiation. 
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Step 1 


Step 2 


Step 3 


Step 4 


Method 3—Connect via the Redirect 
Message 


Cisco.com 


| Address [47 htp:#/192.168.10,10/connstatus.htm!?url=hetp://10.0.1.5) 


VPN 3002 Connection Status 


Connect Now VPN 3002 is disconnected. 


Individual User Authentication || 4425 [21 beeo://192.166.10.10/connstatus.henl 


VPN 3002 Interactive Authentication 
Enter the following information to connect the VPN 3002 to the remote network. Please wait for the operation to complete.| 
Enter Username and Password. 


Username |student! 
— 
Cancel VPN 3002 is connected. 


Since 03/02/2002 08:06:04 (for 0:00:09 hhnm:ss) 


VPN 3002 Connection Status 


Individual User Authentication 
Individual User Authentication is disabled. You do not need to log in to access to the remote network 


Your browser will be redirected in a few seconds, if not, click here to continue, 
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The last method for obtaining a login prompt is through message redirection. For example, a 
remote user powers up the Hardware Client and then attempts to connect to a corporate server 
via a web browser. Because the interactive unit authentication feature is enabled and the tunnel 
is not established, the Hardware Client redirects the remote user’s web browser to the Hardware 
Client Connection/Login Status window. If the Hardware Client interactive unit authentication is 
successful, the remote user’s web browser is redirected to the original destination. The Hardware 
Client unit authentication feature is a four-step process: 


You, as the remote user, try to make an HTTP connection through the Hardware Client tunnel, 
but the tunnel is down. With the Hardware Client interactive unit authentication feature enabled, 
the Hardware Client redirects the user to the Hardware Client Connection/Login Status window. 


The window displays the status of the window as being disconnected. Click Connect Now to 
continue the process. 


Enter the username and password in the corresponding fields within the Hardware Client 
Interactive Authentication window to connect the Hardware Client to the remote network. 


Click Continue to initiate an IKE tunnel negotiation. If successful, the Hardware Client opens 
the Connection/Login Status window. The Connection/Login Status window supplies you with 
the following information: the Hardware Client is connected and individual user authentication is 
disabled. After about 10 seconds, the original destination window replaces the connection/login 
status window. 
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Hardware Client IPSec Parameters 
Dy Cisco.com 


Enter the information needed to connect to the central-site VPN Concentrator server. 


Remote Easy VPN 


192.168.1.5 Enter remote server address/host name. 
Server 


[| 
« Enter up to 10 backup server addressesshost 
Backup Easy VEN names from high priority to low. 
Servers « Enter each backup server address/host name on 


of a single line. 
, 


{ntorm VPN Concentrator 


Alert when disconnecting 


server before the system shuts 
down or reboots 


IPSec over TCP [~ 
IPSec over TCP Port |10000 


Use Certificate 


Check to enable IPSec over TCP. 


Enter IPSec over TCP port (1-65535), 


Oo Click to use the installed certificate. 


C Entire certificate chain Choose how to send the digital certificate to the 
@ Identity certificate only server. 


Name Password Verify 


Certificate Transmission 


Group |training 


User student! 


Cancel 
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If the central site network enables the interactive unit authentication feature during the tunnel 
negotiation, the Hardware Client removes the password from the local memory and 
configuration files. 


In the figure, notice the password and verify that the password fields are blank. 
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Configuring the Hardware Client User 
Authentication Feature 


This topic presents an overview of configuring the Hardware Client user authentication feature. 


Hardware Client User Authentication 


Feature 
Seer Ml Cisco.com 


User 
authentication Hardware 


Client 
le oO 
\ 


: Internet a 


Many corporations such as banks, investment houses, and manufacturers envision using the 
Hardware Client to grant employees access to their corporate networks from home. By default, 
the Hardware Client saves the password and username permanently. This prevents corporations 
from requiring a user to enter a password before gaining access to the central site network. In 
addition, this does not allow prompted authentication, such as token cards; therefore, only fixed 
password authentication can be used (for example, Remote Access Dial-In User Service 
[RADIUS], NT Domain). Without some level of user authentication, the Hardware Client 
represents a substantial risk if placed in an unsecured environment, such as an employee’s home. 


The user authentication feature enables the authentication of users behind each Hardware Client. 
When a user attempts to gain access to the corporate network over the tunnel, their usernames, 
and IP and MAC addresses are checked. If no record of the user is present on the Hardware 
Client, they are prompted for authentication credentials. This protects the central site from 
unauthorized users, such as friends and family members, on the same LAN as the Hardware 
Client. 
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User Authentication Feature— 
Concentrator Configuration 


Cisco.com 


Hardware 
Client 


Check the Inherit? box to seta field that you want to default to the base group value, Uncheck the Inherit? box and enter a 
lnew value to override base group values 


7 


e Client Parameters 


[Inherit?| Description 


Require Interactive Hardware| 

Client Authentication| 
———> =~ Require Individual User| 
Authentication} —~ 


Check to require the hardware client to be interactively 
jauthenticated at each connection attempt. 


Check to require users behind a hardware client to be 
authenticated. 


|Enter the session idle timeout in minutes. Use 0 for no 
timeout. 


‘User Idle Timeout 


[User Authentication behind a hardware client 
Check to allow LEAP packets from Cisco wireless 
laccess points to bypass Individual User Authentication 


LEAP Bypass| 


Allow Network Extension| | 
Mode 


Check to allow hardware clients using Network 
|Extension Mode to connect. 


Cisco IP Phone Bypass | Check to allow Cisco IP Phones to bypass Individual 


Apply] Cancel 


® 2003, Cisco Systems, Inc. All ri c CSVPN 4.0—11-16 


The user authentication feature is enabled and disabled on the Concentrator. You can do this by 
selecting the Require Individual User Authentication check box in the Hardware Client tab of 
the Configuration>User Management>Groups>Modify training window. 


There are also three other parameters in this window: 


m User Idle Timeout field—Enables the administrator to set an idle timeout value, in seconds, 
for all users behind the Hardware Client. If the remote user’s keyboard remains idle for a 
specific period of time, the Hardware Client will log out of the remote user. 


m™ Cisco IP Phone Bypass check box—IP phones do not support a user interface. By checking 
Cisco IP Phone Bypass check box, Cisco IP phones can bypass the Hardware Client 
individual user authentication. This option works only with user authentication. 


m LEAP Bypass—Lightweight Extensible Authentication Protocol (LEAP) Bypass lets LEAP 
packets from devices behind a Hardware Client travel across a VPN tunnel prior to 
individual user authentication. This lets workstations using Cisco wireless access point 
devices establish LEAP authentication. Then they authenticate again per individual user 
authentication (if enabled). 


m Allow Network Extension Mode check box—Select this check box to allow the Hardware 
Client using network extension mode to connect. 
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User Authentication Feature— 
Hardware Client Configuration 
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The user authentication feature is enabled and disabled from the central site Concentrator. This 
information is communicated to the Hardware Client each time the tunnel is established via 
mode configuration messages. When the Hardware Client is turned on without an existing 
configuration file, the GUI enables the user to enter a username and password for the unit as part 
of this quick configuration process. This initial username and password is used the first time a 
tunnel is established to the central site Concentrator. If the central site network enables the user 
authentication feature during the tunnel negotiation, the Hardware Client removes the password 
from the local memory and configuration files, as shown in the figure. Subsequent tunnel 
establishment and logins will require the user to enter a password manually. 
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Connection Methods 


Cisco.com 


VPN 3002 
HARDWARE CLIENT MANAGER 


Refresh@® 


VPN Client Type: 3002-8E 

Bootcode Rev: Cisco Systems, Inc./VPN 3002 Hardware Chent Version 3.0.Rel Feb 26 2001 10:39:17 
Software Rev: Cisco Systems, Inc./VPN 3002 Hardware Client Version 3.5.int_72 Oct 04 2001 00:14:21 
Up For: 3d 2:06:34 

Up Since: 10/05/2001 08:00:24 

RAM Size: 16 MB 


Disconnect Now ConnectNow | 


No Tunnel Established | | Address [7 hetp:/192,168.10.10/connstatus.hiniPurlehetp:/10.0.1.5) <== 


VPN 3002 Connection Status 


Connect Now VPN 3002 is disconnected. 


Individual User Authentication 
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When the Hardware Client individual user authentication feature is enabled on the Concentrator, 
a username and password must be supplied to the Hardware Client before an individual can 
access the Hardware Client tunnel. There are three methods in which an end user can gain access 
to the individual user authentication process: 

m Connect via the Hardware Client manager. 


m Connect via the System Status window. 


m™ Connect via the redirect message. 
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Step 1 

Connection/Login Status window opens. 
Step 2 

Client interactive authentication window opens. 
Step 3 
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Method 1—Connect via the Hardware 


Client Manager 


‘VPN 3002 Connection Status 


VPN 3002 is connected. 


Since 10/04/2001 15:36:03 (for 0:04:07 hh:mm:ss) 


Individual User Authentication 


Individual User Authentication is required. You need to log in to access to the remote network. 


You are not logged in. 


Log In Now IP: 192.168.10.11 


Cisco.com 


MAC: 00:50:DA:5A:04:07 


Individual User Authentication 


VPN 3002 Connection Status 


Enter the following information needed to log in to the remot | ven 3009 is connected. 


Since 03/02/2002 08:24:29 (for 0:03:02 hh:mm:ss) 


‘Username |student! 


Password |“ 


ome 


Individual User Authentication 


| You are logged in. 
| Username: student] 
Leg OutNow | | TP: 192,168, 10.16 
| MAC: 00:50DA:5A:04.07 
| Since: Mar 02 08:27:31 (for 0:00:00 hhmm'ss) 


LL 


‘Your browser will be redirected in a few seconds; ifnot, click here to continue. 
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The first method for accessing the username and password is through the Hardware Client 
Hardware Client manager. There are three steps in this process: 


Click the Connection/Login link in the manager window to start the login process. The 


The Connection/Login Status window displays the Hardware Client tunnel status and individual 


user authentication. The Hardware Client tunnel status indicates that the tunnel is connected but 
the individual user is not logged in. To continue the process, click Log In Now. The Hardware 


In the Hardware Client interactive authentication window, enter a username password in the 


corresponding fields, and click Connect. Clicking Connect initiates IKE tunnel negotiation, 
while clicking Cancel sends the user back to the Hardware Client interactive authentication. If 
tunnel negotiation is successful, a logged in message is returned along with the remote user’s 
MAC and IP address. The Hardware Client tracks successfully logged-in remote users by their 


MAC and IP address. 
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Method 2—Connect via the System 
Status Window 


VPN Client Type: 3002-8E 
Serial Number:C.4M01481749 


[Up For: 26:57:21 
[Up Since: 06/30/2003 10:47:24 
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Disconnect Now Connect Now | 
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No Tunnel Established 
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oe 
ome 


Password 
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\Bootcode Rev: Cisco Systems, Inc.VPIN 3002 Hardware Client Version 3.U.Kel Feb 26 2001 10:39:17 
Software Rev: Cisco Systems, Inc./VPN 3002 Hardware Client Version 4.0.1.Rel May 06 2003 12:46:38 
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Another way to access the login prompt is from the Hardware Client Manager System Status 


window: 


Step 1 


Status>Connect Now window opens. 


Step 2 


tunnel. Clicking Connect initiates IKE tunnel negotiations. 
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Configure the Cisco VPN 3002 Hardware Client for Unit and User Authentication 


Click Connect Now in the Monitoring>System Status window. The Monitoring>System 


Enter a username and password in the corresponding fields, and click Connect to establish the 
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Method 3—Connect via the Redirect 
Message 


Cisco.com 


‘VPN 3002 Connection Status 


VPN 3002 is connected. 
Since 03/02/2002 08:24:29 (for 0:00:08 hh:mm:ss) 


Individual User Authentication 


Individual User Authentication is required. You need to log in to access to the remote networks, 


You are not logged in. 
Log In Now TP: 192.168.10.16 Individual User Authentication 
MAC: 00:50DA:5A:04:07 
Enter the following intormation needed 


‘Username [student 


Password VPN 3002 Connection Status 


ome 
VPN 3002 is connected. 
‘Since 03/02/2002 08:24:29 (for 0:03:02 hhmm:ss) 


Individual User Authentication 


You are logged in. 
Username: student] 


Log OutNow | IP; 192.168.10.16 


MAC: 00:50:DA:5A:04:07 
Since: Mar 02 08:27:31 (for 0:00:00 hh:mm:ss) 


‘Your browser will be redirected in a few seconds, if not, click here to cot 
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If individual user authentication is required, any attempt to access the central site network via 
HTTP immediately redirects the user’s web browser to the user’s Connection Login Status 
window. The “You are not logged in” message opens. To access the original central site website, 
the user must first login successfully. 


If individual user authentication is enabled and the source IP and MAC addresses associated 
with the user’s browser access are not authenticated, the Connection Login Status window 
indicates that the user is not logged in. By clicking Log In Now, the user is transferred to the 
Individual User Authentication window where they have to enter a username and password into 
the corresponding fields and click Login. The Hardware Client initiates an authentication 
sequence. 


During user authentication the central site Concentrator determines if the username specified in 
the Individual User Authentication window was used to authenticate another machine. If the 
current authentication exceeds the simultaneous user login count for this group, the 
authentication fails and the user’s browser is transferred back to the Connection Login Status 
window with an error message. If the user authentication is successful, the Hardware Client 
returns a Connection/Login Status window with a You are logged in message. The source IP and 
MAC address, and the username is saved as an authenticated machine. 


If individual user authentication is disabled and the IKE tunnel has been established, the user 
does not need to log in to access the remote network. 
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Monitoring the Hardware Client User Statistics 


This topic presents an overview of monitoring the Hardware Client user status. 


Hardware Client User Status 
Ra nM ~S~*~*~*é«Ssco.com 


VPN 3002 Connection Status 


VPN 3002 is connected. 
Since 10/04/2001 15:36:03 (for 0:06:34 hh:mm:ee) 


Individual User Authentication 


You are logged in. 
Username: student] 


Log Out Now TP: 192.168.10.11 


MAC: 00:50:DA:5A:04:07 
Since: Oct 04 15:42:37 (for 0:00:00 hh:mm:ss) 


Go back to the VPN 3002 administrative login page 


}8-Configuration 
Monitoring Refresh® 
[Routing Table 

Filterable Event Log 
| -BiFiterable Event Lo Cisco IP Phone Bypass is disabled. 


}-—System Status 
|Username| IP Address | MAC Address | Login Time [Duration (hh:mm:ss) |Actions 
|smudentl [192.168 10. 1100.50 DA 5A 04.07 [Oct 04 15:42:37 | 0:01:25 [Logout] 
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Individual user statistics are available in the Hardware Client within Connection Login Status 
and Monitoring>User Status windows. In the Connection Login Status window, you can view 
your username, IP and MAC address, and login time and duration. 


Under the Monitoring>User Status window, a new authenticated user’s window is added on the 
Hardware Client. This window displays the IP address, MAC address, username, login time and 
duration, and logout function for currently authenticated users. If the individual user 
authentication feature is disabled, this window is displayed under the Monitoring>User Status 
window. In place of the user authentication information, this page displays a message indicating 
that individual user authentication is disabled. 


Copyright © 2005, Cisco Systems, Inc. Configure the Cisco VPN 3002 Hardware Client for Unit and User Authentication 11-19 


11-20 


Concentrator User Status 


eT Cisco.com 


IKE Sessions: 1 
IPSec Sessions: 2 


Session ID 1 
Hashing Algorithm MD5 
Authentication Mode Pre-Shared Keys (AUTH) 
Rekey Time Interval |86400 scconds 


Session ID |2 
Local Address |192. 168.15 
Hashing Algorithm MD5 


IKE Session 


IPSec Session 


Encryption Algorithm 3DES-168 
Diffie-Hellman Group |Group 2 (1024-bit) 
IKE Negotiation Mode [Aggressive 


Remote Address 192.168 16 
Encryption Algorithm 3DES-168 
Idle Time |0:25:53 


Encapsulation Mode Tunnel 
Bytes Received 0 


Session ID 3 
Local Address |0,0,0.0/255,255,255,255 
Hashing Algorithm |MD5 
Rekey Time Interval |28300 seconds 
Bytes Received 124936 


Username 


————>| student! 


IPSec Session 


Authenticated Users 
Login Time 
Oct 09 11:23:58 


Rekey Time Interval 28800 seconds 
Bytes Transmitted 0 


Remote Address |192. 168 10.10/0.0.0.255 
Encryption Algorithm 3DES-168 


Encapsulation Mode Tunnel 


Bytes Transmitted 106723 


Duration 
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On the Concentrator, individual user information is added to the Administration>Sessions> 
Detail display window. When multiple authentications execute for a given IKE tunnel, the 


central site Concentrator displays the username and login duration information. The user’s MAC 
and IP addresses are visible only on the Hardware Client. 
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Summary 


This topic summarizes the information presented in this lesson. 


Summary 
i aaa ee | Cisco.com 


¢ There are three authentication options available 
on the Hardware Client: unit authentication, 
interactive unit authentication, and individual 
user authentication. 


¢ Interactive unit and individual user 
authentication are enabled or disabled on the 
Concentrator. 


° There are three ways to access interactive 
unit and individual user authentication prompts: 
connect via the Hardware Client Manager, 
connect via the system status window, or 
connect via the redirect message. 
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Lab Exercise—Configure the Cisco VPN 3002 
Hardware Client Interactive Unit and Individual 
User Authentication 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


Your task in this lab exercise is to install and configure the Cisco Virtual Private Network (VPN) 
3002 Hardware Client and the Cisco VPN 3000 Series Concentrator to enable IPSec encrypted 
tunnels. Work with your lab partner to complete the following tasks: 

m= Complete the lab exercise setup. 

m Launch a Cisco VPN 3002 Hardware Client IPSec tunnel using default unit authentication. 

m Configure the Cisco VPN 3000 Series Concentrator for interactive unit authentication. 

m Authenticate the Cisco VPN 3002 Hardware Client via Connect Now. 

m Authenticate the Cisco VPN 3002 Hardware Client using the Connection/Login status link. 
m Authenticate the Cisco VPN 3002 Hardware Client using HTTP re-direction. 


m Configure the Cisco VPN 3000 Series Concentrator for individual user authentication. 


m= Launch an IPSec tunnel using both the interactive unit and individual user authentication. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


Cisco.com 


4 A, 192.168.1PP.0 
192.168.1PP.2 oe 


Student 
192.168.P.0 


_, Cisco VPN 
= ‘ 3000 Series 
===" Concentrator 


10.0.P.0 


Web 
FTP 


Scenario 


Your company wants you to implement a VPN using remotely located Hardware Clients 
terminating at centrally located Concentrators. You must configure the Concentrator to support 
Hardware Client interactive unit and individual user authentication. 


Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify your equipment is setup as follows: 
m Ensure that your student PC is powered on. 
m Ensure that your student IP addresses are configured correctly: 


— Primary IP address—192.168.1PP.2 
(where PP = two-digit pod number [for example, Pod | is 01]) 


— Default gateway IP address—192.168.1PP.1 
(where PP = two-digit pod number) 


m= Ensure that your Hardware Client is powered on. 
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Task 2—Launch a Cisco VPN 3002 Hardware Client IPSec Tunnel 
Using Default Unit Authentication 


Step 1 
Step 2 


Step 3 


Step 4 


Step 5 
Step 6 


Complete the following steps to launch and monitor the Hardware Client IPSec tunnel: 


Launch Internet Explorer by double-clicking the desktop icon. 


Enter a Hardware Client private interface (Client mode) IP address of 192.168.1PP.1 in the 
Internet Explorer Address field. 


(where PP = double digit pod number) 
Log into the Hardware Client using the administrator account: 


Login: admin 


Password: admin 
Both the username (login) and password are always case sensitive. 


From the Monitoring menu tree, drill down to System Status. An IPSec tunnel should already be 
established to the Concentrator. If not, click Connect Now. 


Verify an IPSec tunnel is present. 


Log out of the Cisco VPN 3002 Hardware Client Manager. Do not close Internet Explorer. 


Task 3—Configure the Cisco VPN 3000 Series Concentrator for 
Interactive Unit Authentication 


Step 1 


Step 2 


Step 3 
Step 4 
Step 5 
Step 6 
Step 7 
Step 8 
Step 9 
Step 10 


With interactive unit authentication, the user password is no longer stored in the memory of the 
Hardware Client. When launching an IPSec tunnel, a user behind the Hardware Client must 
supply a username and password each time an IPSec tunnel is established. By default the feature 
is disabled. Complete the following steps to enable interactive unit authentication: 


Enter a Concentrator public interface IP address of 192.168.P.5 in the Internet Explorer Address 
field (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 Concentrator 
Series Manager. 


Log into the Concentrator using the administrator account: 

Login: admin 

Password: admin 

From the Configuration menu tree, drill down to User Management>Groups. 
Choose training from the Current Groups list. 

Click Modify Group. It may take a few moments for the text to appear. 

Select the HW Client tab. 

Select the Require Interactive Hardware Client Authentication check box. 
Click Apply. 

Save the configuration. 


Log out of the Concentrator. Do not close Internet Explorer. 
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Task 4—Authenticate the Cisco VPN 3002 Hardware Client Via Connect 


Now 


Step 1 


Step 2 


Step 3 
Step 4 


Step 5 


Step 6 


Step 7 


Step 8 


Step 9 
Step 10 


With interactive unit authentication enabled, the unit must be authenticated before an IPSec 
tunnel is established. There are three ways to access the Interactive Unit Authentication Login 
window. The first way is to access the login via Monitoring>System Status>Connect Now. 
Complete the following steps to authenticate the Hardware Client interactively via connect now: 


Enter a Hardware Client private interface (Client mode) IP address of 192.168.1PP.1 in the 
Internet Explorer Address field. 


(where PP = double digit pod number) 
Log into the Hardware Client using the administrator account: 


Login: admin 


Password: admin 
Both the username (login) and password are always case sensitive. 


From the Monitoring menu tree, drill down to System Status. If a tunnel is connected, click 
Disconnect Now. It takes several moments for the Hardware Client IPSec tunnel to disconnect. 


Click Connect Now to re-connect the tunnel using interactive unit authentication. The 
Monitoring>System Status>Connect Now window opens. 


From the Monitoring>System Status>Connect Now window, complete the following sub-steps: 


Note The following entries are case sensitive and should be entered in all lower case. 
1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Click Continue to authenticate the unit and establish the IPSec tunnel. The 
Monitoring>System Status window opens. 


View the IPSec tunnel information. 


From the Configuration menu tree, drill down to System>Tunneling Protocols>IPSec window, 
and answer the following question: 


Ql) ~~ What is listed in the user password and verify fields? 


A) 


Return to the Monitoring>System Status window and click Disconnect Now to disconnect the 
IPSec tunnel. It takes several moments for the Hardware Client IPSec tunnel to disconnect. 


Log out of the Hardware Client Manager. 


Do not close Internet Explorer. 
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Task 5—Authenticate the Cisco VPN 3002 Hardware Client using the 
Connection/Login Status Link 


The second way to access the login prompt is by using the Connection/Login Status link. 
Complete the following steps to authenticate the Hardware Client interactively using the 
Connection/Login Status link: 


Step1 From the Hardware Client Manager window, select Connection/Login Status link. 


Step 2 From the Connection/Login Status window, answer the following questions: 
Q2) What is the connection status of the Hardware Client? 


A) 


Q3) — What is the individual user authentication status? 


A) 


Step 3 Click Connect Now to re-connect the tunnel. 


Step 4 Complete the following sub-steps from the Hardware Client Interactive Authentication window: 


Note The following entries are case sensitive and should be entered in all lower case. 


1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Click Continue to establish the IPSec tunnel to the remote Concentrator. 
Step 5 From the Connection/Login Status window, answer the following questions: 
Q4) ~~ What is the connection status of the Hardware Client? 


A) 


Q5) What is the individual user authentication status? 


A) 


Step6 From the Connection/Login Status window, select Go back to the VPN 3002 administrative 
login page. 


Step 7 Log into the Hardware Client using the administrator account: 
Login: admin 
Password: admin 


Both the username (login) and password are always case sensitive. 
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Step 8 


Step 9 
Step 10 


From the Monitoring menu tree, drill down to System Status. If an IPSec tunnel is connected, 
click Disconnect Now. It takes several moments for the Hardware Client IPSec tunnel to 
disconnect. 


Log out of the Hardware Client Manager. 


Do not close Internet Explorer. 


Task 6—Authenticate the Cisco VPN 3002 Hardware Client Using HTTP 
Re-direction 


Step 1 


Step 2 
Step 3 


Step 4 


The last method is HTTP re-direction. The user attempts to access a URL at the central site. 
Because the unit has not been authenticated, the Hardware Client re-directs the connection to the 
Interactive Authentication window for authentication. Complete the following steps to 
authenticate the Hardware Client via HTTP re-direction: 


Enter a Concentrator public interface IP address of 192.168.P.5 in the Internet Explorer Address 
field (where P = pod number). The Hardware Client Connection/Login Status window opens. 


Answer the following question: 


Q6) — What IP address was the Internet Explorer window re-directed to? 


A) 


Click Connect Now. The Hardware Client Interactive Authentication window opens. 


Complete the following sub-steps from the Hardware Client Interactive Authentication window: 


Note The following entries are case sensitive and should be entered in all lower case. 
1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Click Continue to establish an IPSec tunnel to the remote Concentrator. The connection 
Login/Status window opens for four seconds. 


From the Connection/Login Status window, answer the following questions (you must be fast 
since the window only stays open for approximately four seconds): 


Q7) What is the connection status of the Hardware Client? 


A) 


Q8) What is the individual user authentication status? 


A) 


The Cisco VPN 3000 Concentrator Series Manager window opens. 
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Step 5 


Do not disconnect the IPSec tunnel. Do not close Internet Explorer. 


Task 7—Configure the Cisco VPN 3000 Series Concentrator for 
Individual User Authentication 


Step 1 


Step 2 


Step 3 
Step 4 
Step 5 
Step 6 
Step 7 


Step 8 
Step 9 
Step 10 
Step 11 


Step 12 


Step 13 


Step 14 


With user authentication, each user behind the Hardware Client must be individually 
authenticated before they are allowed to use the IPSec tunnel. Each user behind the Hardware 
Client is prompted for a username and password. By default, the individual user authentication 
feature is disabled. Complete the following steps to enable individual user authentication on the 
Concentrator: 


If the Cisco VPN 3000 Concentrator Series Manager is not visible, enter the Concentrator’s 
public interface IP address of 192.168.P.5 in the Internet Explorer Address field (where P = pod 
number). Internet Explorer connects to the Cisco VPN 3000 Concentrator Series Manager. 


Log into the Concentrator using the administrator account: 

Login: admin 

Password: admin 

From the Configuration menu tree, drill down to User Management>Groups. 
Choose training from the Current Groups list. 

Click Modify Group. It may take a few moments for the text to appear. 

Select the HW Client tab. 


Select the Require Individual User Authentication check box. Leave the Require Interactive 
Hardware Client Authentication check box selected. 


Click Apply. 
Save the configuration. 
Log out of the Concentrator. 


Enter a Hardware Client private interface (Client mode) IP address of 192.168.1PP.1 in the 
Internet Explorer Address field. 


(where PP = double digit pod number) 

Log into the Hardware Client using the administrator account: 
Login: admin 

Password: admin 


Both the username (login) and password are always case sensitive. 


From the Monitoring menu tree, drill down to System Status. If an IPSec tunnel is connected, 
click Disconnect Now. It takes several moments for the Hardware Client IPSec tunnel to 
disconnect. 


Log out of the Cisco VPN 3002 Hardware Client Manager and leave Internet Explorer open. 
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Task 8—Launch an IPSec Tunnel Using Both the Interactive Unit and 
Individual User Authentication 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


With both the interactive unit and individual user authentication enabled, the user must 
authenticate twice. Complete the following steps to establish an IPSec tunnel: 


Enter a Concentrator’s public interface IP address of 192.168.P.5 in the IP Address field. The 
Connection/Login Status window opens. 


(where P = pod number) 
From the Connection/Login Status window, answer the following questions: 


Q9) What is the Hardware Client Connection status? 


A) 


Q10) What is the individual user authentication connection status? 


A) 


Click Connect Now to connect the IPSec tunnel. The Hardware Client Interactive Authentication 
window opens. 


Complete the following sub-steps from the Hardware Client Interactive Authentication window: 


1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Click Continue to establish the IPSec tunnel to the remote Concentrator. It takes several 
moments for the Hardware Client IPSec tunnel to connect. 


From the Connection/Login Status window, answer the following questions: 
Q1I1) What is the connection status of the Hardware Client? 


A) 


Q12) What is the individual user authentication status? 


A) 
Q13) What is the user’s PC IP address? 


A) 
Q14) What is the user’s MAC address? 


A) 


Click Login In Now under Individual User Authentication. 


Complete the following sub-steps from the Hardware Client Interactive Authentication window: 
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Step 8 


Step 9 


Step 10 


Step 11 


Step 12 
Step 13 
Step 14 
Step 15 


Step 16 


Step 17 
Step 18 
Step 19 
Step 20 


Step 21 


1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Click Continue to establish the IPSec tunnel to the remote Concentrator. The Hardware 
Client Connection/Login Status window will quickly open and then be replaced by the Cisco 
VPN 3000 Concentrator Series Manager. 


Log into the Concentrator using the administrator account: 
Login: admin 


Password: admin 

From the Monitoring menu tree, drill down to Sessions. 

Select studentP in the Remote Access Sessions summary section. 

(where P = pod number) 

From the Monitoring>Sessions>Detail window, answer the following question: 


Q1I5) At the bottom of the Monitoring>Sessions>Detail window, which user was 
authenticated? 


A) 


Q16) What other authenticated user information was supplied? 


A) 


From the Configuration menu tree, drill down to User Management>Groups. 
Choose training from the Current Groups list. 

Click Modify Group. It may take a few moments for the text to appear. 

Select the HW Client tab. 


Deselect the Require Individual User Authentication check box. Leave the Require Interactive 
Hardware Client Authentication check box selected. 


Click Apply. 
Save the configuration. 
Log out of the Concentrator. Do not close Internet Explorer. 


Enter a Hardware Client private interface (network extension mode) IP address of 192.168.1PP.1 
in the Internet Explorer Address field. 


(where PP = double digit pod number) 
Log into the Hardware Client using the administrator account: 


Login: admin 


Password: admin 


Both the username (login) and password are always case sensitive. 


Copyright © 2005, Cisco Systems, Inc Configure the Cisco VPN 3002 Hardware Client for Unit and User Authentication Lab 11-9 


Step 22 From the Monitoring menu tree, drill down to User Status. Answer the following questions: 
Q17) Which user is authenticated? 


A) 
Q18) What is the IP address of the authenticated user? 


A) 
Q19) What is the MAC address of the authenticated user? 


A) 


Q20) What is the login time and duration of the connection? 


A) 


Step 23 From the Monitoring menu tree, drill down to System Status. 


Step 24 Click Disconnect Now. It takes several moments for the Hardware Client IPSec tunnel to 
disconnect. 


Step 25 Log out of the Hardware Client and close Internet Explorer. 
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Configure the Cisco Virtual 
Private Network Client Backup 
Server, and Load Balancing 


Overview 


This lesson includes the following topics: 

m Objectives 

= Configuring the Cisco VPN Client backup server feature 

= Configuring the Cisco VPN Client load-balancing feature 

m Overview of the Cisco VPN Client Reverse Route Injection feature 
m= Summary 


m Lab exercise 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
Re MMMM ~~SS!S!S*S*«SCO.com 


Upon the completion of this lesson, you will be 
able to perform the following tasks: 


¢ Describe the Cisco VPN Client reverse route injection, 
backup server, and load-balancing features. 


¢ Configure the VPN Client for a backup server. 
¢ Configure the Cisco VPN Client for load balancing. 


¢ Configure the Concentrator for reverse route injection. 
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Configuring the Cisco VPN Client Backup Server 
Feature 


Step 1 
Step 2 


Step 3 


This topic presents an overview of how to configure the Cisco Virtual Private Network (VPN) 


Client backup server. 


Backup Server 


Cisco.com 


Primary server 
192.168.1.5 
Backup server 
192.168.2.5 


192.168.1.5 


192.168.2.5 


\ Internet 
192.168.3.5 192.168.2.5 \ 


IPSec backup servers enable a Hardware Client and a VPN Software Client to connect to a 
backup Concentrator when its primary Concentrator is unavailable. You configure backup 
servers, either on the Hardware Client and the VPN Software Client, or on a group-basis on the 


Concentrator. 
The following is an example of what happens when you configure a backup server: 


The Hardware Client attempts to contact the primary peer. 

If the Hardware Client does not receive an Internet Key Exchange (IKE) reply packet from the 
primary Concentrator within eight seconds, the Hardware Client declares the packet lost and logs 
the event. 

After four seconds, the Hardware Client attempts a connection with a backup server. A backup 
server list is traversed from top to bottom. If the bottom of the list is reached with no connection, 
the tunnel establishment process is terminated. The Hardware Client does not automatically 
begin again from the top. 
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Backup Server—Concentrator 
Configuration 


Cisco.com 
192.168.1.5 


2OFIO 


Drop-down menu choices: 
« Use Client Configured List 


* Disable and Clear Configured List 


« Use List Below 


The IPSec backup server feature enables a Hardware Client and VPN Software Client to connect 
to a backup Concentrator when its primary Concentrator is unavailable. During tunnel 
negotiation, the VPN Clients ask for a policy from the Concentrator. The Concentrator responds 
to the request via a Mode Config policy message. The VPN Clients check the policy message 
and respond appropriately. There are three backup server options available: 


m Use Client Configured List—Instructs the VPN Clients to use its own backup server list. 


m Disable and Clear Configured List—Disables and clears the configured list, and instructs the 
VPN Clients to clear their own backup server list and disable the feature. 


m Use List Below—Instructs the VPN Clients to use the list of backup servers supplied by the 
Concentrator. The list is pushed down to the VPN Clients in a proprietary Mode Config 
message replacing any backup list on the VPN Clients. 


In the example in the figure, from the IPSec Backup Server drop-down menu, the Use List 
Below option is chosen for the training group. Beneath the drop-down menu, there are four 
backup server addresses listed. This information is pushed down to the Hardware Client during 
tunnel setup. The IPSec backup server is configured on a group-by-group basis. 
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Backup Server—Hardware Client 


Configuration 
a Cisco.com 
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If the Concentrator IPSec backup server option is set for Use Client Configured List, the 
Hardware Client uses the backup server addresses configured in the Hardware Client. To 
configure backup servers on a Hardware Client, go to the Configuration>System>Tunneling 
Protocols>IPSec window. In the backup server window, enter up to ten backup servers listed 
from high to low priority. If the Concentrator sends a backup server list to the client, Hardware 
Client adds the down loaded list replacing any entries currently on the backup list. 


The PC needs accurate Windows Internet Naming Service (WINS) and Domain Name System 
(DNS) information to navigate through the central site. Typically the WINS and DNS 
information is sent to the Hardware Client during tunnel establishment. In turn, the Hardware 
Client passes the WINS and DNS information to the remote PC in Dynamic Host Configuration 
Protocol (DHCP) offer messages. To update the WINS and DNS information, you may have to 
release and then renew the IP address of the PC. By doing so, the PC contacts the Hardware 
Client for a new IP address. In the resulting DHCP offer message, the PC receives an IP address, 
and WINS and DNS information .To enable the WINS and DNS update process, the Hardware 
Client is configured as a DHCP server and the PC is set to obtain IP address via DHCP. 
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Backup Server—Software Client 
Configuration 


Cisco.com 
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If the Concentrator IPSec backup server option is set to Use Client Configured List, the VPN 
Software Client uses the backup server addresses configured in the VPN Software Client. Go to 
Start>Programs>Cisco Systems VPN Client>VPN Client to configure backup servers on a 
VPN Client. The VPN Software Client window opens. Right-click the connection entry you 
wish to configure and choose Modify from the menu. The Properties window opens. Choose the 
Backup Servers tab. In the resulting window, click the Enable Backup Servers check box and 
then enter up to ten backup servers, listed from high to low priority. If the Concentrator sends a 
backup server list to the client, the VPN Software Client adds the downloaded list, replacing any 
entries currently on the backup list. 


12-6 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Configuring the Cisco VPN Client Load-Balancing 
Feature 


This topic presents an overview of how to configure Cisco VPN Client load balancing. 


Load-Balancing Cluster 


Cisco.com 


VPN virtual cluster 
IP address 
192.168.1.150 


192.168.1.5 
Master 
192.168.1.6 


| 492.168.1.6 _ aad q 
‘Secondary al aa ‘_ Internet 


192.168.1.7 
“Secondary 


If you have a Concentrator configuration in which you are using two or more Concentrators 
connected on the same network to handle remote sessions, you can configure these devices to 
share their session load. This feature is called load balancing. Load balancing directs session 
traffic to the least loaded device, thus distributing the load among all devices. It makes efficient 
use of system resources and provides increased performance and high availability. 


In load balancing, a group of Concentrators work together as a single entity, a cluster. The 
cluster is known by one IP address, a virtual address, to the outside client space. This virtual IP 
address is not tied to a specific physical device in the VPN cluster but will be serviced by the 
cluster virtual cluster master. The virtual IP address is a valid, routable address. When remote 
clients attempt to establish a tunnel, the clients route the IKE messages to the IP address of the 
cluster—the virtual IP address. The virtual cluster master responds to the messages. 


Connections to the load-balancing cluster are based on the load.The designated virtual cluster 
master Concentrator maintains load information from all secondary Concentrators in the cluster. 
Each secondary Concentrator periodically sends load information in a “Keep Alive” message 
exchange to the master Concentrator. Load is calculated as a percentage of current active 
sessions divided by the configured max-allowed connections. When a VPN Client makes a 
connection request, the master Concentrator checks the load list for the least-loaded 
Concentrator. The master Concentrator directs the VPN Client toward the least-loaded 
Concentrator in the cluster. The least-loaded Concentrator terminates the new tunnel. 
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Load balancing is supported on the following VPN Client versions: 
m VPN Software Client Release 3 and above 


m= Hardware Client release 3.5 and above 
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Load-Balancing Connection Process 


Cisco.com 


VPN virtual cluster 
IP address 
192.168.1.150 


192.168.1.5_ 


Master 
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“Secondary = <a 
192.168.1.7 a 


~ Secondary 


When a VPN Client is launched, it will attempt to establish an IKE tunnel to the VPN virtual 
cluster IP address: 192.168.1.150. The cluster master responds to the IKE messages by sending a 
re-direct message to the VPN Client. In the re-direct message is the physical IP address of the 
least-loaded Concentrator within the cluster. The cluster master determines the least-loaded 
Concentrator by consulting its load table. The load table is continuously updated with the 
secondary Concentrator’s current load information. At the IKE tunnel connection time, the 
cluster master consults its load table and picks the least-loaded secondary Concentrator at that 
time. The cluster master Concentrator forwards the IP address of the least-loaded secondary 
Concentrator to the remote client. In the example in the figure, the IP address of the least-loaded 
Concentrator within the cluster is 192.168.1.6. 


The VPN Client in turn attempts to establish a new tunnel to the least-loaded Concentrator: 
192.168.1.6. The original tunnel to the cluster master’s virtual IP address is torn down. 


Load balancing is only performed during tunnel establishment. 
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For load balancing to operate, a new application must be added to the Concentrator. The 
application is called Virtual Cluster Agent (VCA). VCA is the process executing on each 
Concentrator in the cluster. VCA is responsible for the following: 

m Joining and exiting the virtual cluster 

m Establishing IPSec connections between peers in the cluster 

m Calculating the load 

m Sending periodic load and health check information to the cluster master 


m Determining a failed cluster master 


m Participating in a virtual master election process 


In order for the VCA messages to flow between cluster Concentrators, a VCA filter must be 
enabled on each Concentrator’s public and private interface. 
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Load-Balancing Configuration 
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Load balancing is a three-step process: 


Step 1 Add VCA capability to the Concentrator’s public and private interfaces. 
Step 2 Configure each Concentrator within the cluster for load balancing. 


Step 3 Configure each client with the virtual address of the cluster. 
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Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Add Rules to Filter 


Cisco.com 
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ec. G Internet , 
poet ae 


Secondary as 


This section lets you add, configure, modify, copy, and delete fiters, and assign rules to filters 


Click Add Filter to add a fiter, or select a filter and click Modify, Copy, Delete, or Assign Rules to Filter 
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The first step of load balancing is to enable VCA message transmissions between Concentrators 
in the cluster. To do this, you must add a rule to the public and private interface of each 
Concentrator in the cluster: 


On each Concentrator in the cluster, go to the Configuration>Policy Management> Traffic 
Management>Filters window. 


From the Configuration>Policy Management>Traffic Management>Filters window choose 
Public from the Current Rules in Filter list and then click Assign Rules to Filter. The 
Configuration>Policy Management>Traffic Management>Assign Rules to Filter-Assign Rules to 
Filter window opens. 


In the Available Rules list, choose VCA In and then click Add. VCA In moves to the Current 
Rules in Filter list. 


In the Available Rules list, choose VWCA Out and then click Add. VCA Out moves to the Current 
Rules in Filter list. 


Add VCA in and VCA out filters to both Concentrator’s public and private interfaces. 


The functions of VCA In and VCA Out are as follows: 


m VCA In (forward/in)—Forwards any inbound (to this VPN 3000) UDP packet with a 
destination port of 9023 (VCA port). 


= VCA Out (forward/out)—Forwards any outbound (from this VPN 3000) UDP packet 
originating from source port 9023 (VCA port). 
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Concentrator Load-Balancing 
Configuration 
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v Check to enable load balancing for this device 


The second step in load balancing is to configure each Concentrator in the cluster for load 
balancing. There are two parts to the configuration: cluster and device configuration. Cluster 
configuration must be the same for all Concentrators in the cluster. Device configuration 
parameters can vary across the cluster. The device parameters are Concentrator specific. 


To configure load balancing on the Concentrator, go to the Configuration>System> Load 
Balancing window and complete the following parameters: 


m VPN Virtual Cluster IP Address field—Enter the single IP address that represents the entire 
virtual cluster. Choose an IP address that is within the public subnet address range shared by 
all the Concentrators in the virtual cluster. 


m VPN Virtual Cluster UDP Port field—9023 is the default UDP port address. If another 
application is using this port, enter the UDP destination port number you want to use for 
load balancing. 


m Encryption check box—The Concentrators in the virtual cluster communicate via LAN-to- 
LAN tunnels using IPSec. To ensure that all load-balancing information communicated 
between the Concentrators is encrypted, select this check box. 


m IPSec Shared Secret field—This option is available only if you have selected the preceding 
Encryption check box. Enter the IPSec shared secret for the virtual cluster. The shared secret 
is a common password that authenticates members of the cluster. IPSec uses the shared 


secret as a pre-shared key to establish secure tunnels between virtual cluster peers. 


m Verify Shared Secret field—Re-enter the IPSec shared secret. 
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Load Balancing Enable check box—Select this check box to include this Concentrator in the 
virtual cluster. 


Priority field—Enter a priority for this VPN Concentrator within the virtual cluster. The 
priority is a number from | to 10 that indicates the likelihood of this device becoming the 
cluster master either at startup or when an existing cluster master fails. The higher you set 
the priority (for example 10), the more likely this device becomes the cluster master. If your 
cluster includes different models of Concentrators, it is recommended that you choose the 
device with the greatest load capacity to be the cluster master. For this reason, priority 
defaults are hardware dependent. If your cluster is made up of identical devices (for 
example, if all the devices in the virtual cluster are Concentrator 3060s), set the priority of 
every device to 10. Setting all identical devices to the highest priority shortens the length of 
time needed to select the virtual cluster master. The default priorities are as follows: 


— Concentrator 3005—1 
— Concentrator 3015—3 
— Concentrator 3030—5 
— Concentrator 3060—7 
— Concentrator 3080—9 
NAT Assigned IP Address field—If this Concentrator is behind a firewall using Network 


Address Translation (NAT), NAT has assigned it a public IP address. Enter the NAT IP 
address. If this device is not using NAT, enter 0.0.0.0. The default setting is 0.0.0.0. 
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Hardware Client Load-Balancing 
Configuration 
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This is final step in configuring load balancing in the Hardware Client. In the Hardware Client, 


go to the Configuration>System>Tunneling Protocols>IPSec window. In the Remote Server 


field, verify the cluster virtual IP address is specified. If not, modify the Remote Server IP 


address to reflect the virtual, rather than a physical, IP address of the Master Concentrator. In the 
example in the figure, the cluster virtual IP address is 192.168.1.150. 


To support the load-balancing feature, the Hardware Client must use release 3.5 software or 


later. In prior releases, the Hardware Client does not support redirect messages. 
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Configure the Cisco VPN Client Backup Server, and Load Balancing 


12-15 


12-16 
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When the VCA filters are added, the Concentrator load balancing parameters are configured and 
the Hardware Client remote server address is added, you can launch the tunnel. In the example in 
the figure, the Cisco VPN 3002 attempted to connect to the cluster master, 192.168.1.150. From 
the cluster master, the Hardware Client received a re-direct message to connect to 192.168.1.5. 
In the Hardware Client Monitoring>System Status window, notice that the tunnel was 
established with 192.168.1.5. 
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VPN Software Client Load-Balancing 
Configuration 
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This is the final step in configuring load balancing in the Software Client. In the Software Client, 
go to the Start>Programs>Cisco Systems VPN Client>VPN Client window. In the Host name or 
IP address of remote server field, add the cluster virtual IP address. In the example in the figure, 
the cluster virtual IP address is 192.168.1.150. 
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Overview of the Cisco VPN Client Reverse Route 
Injection Feature 


This topic presents an overview of the Cisco Virtual Private Network (VPN) Client Reverse 
Route Injection (RRJ) feature. 


Advertising VPN Client Routes 
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Load balancing enables the VPN client to connect to the least loaded Concentrator. The good 
news is the VPN client load is shared across multiple Concentrators. The bad news is how does a 
headend device connect to the client when it is connected to a different Concentrator each time a 
tunnel is established. The answer is RRI. Each time the VPN Client connects to a Concentrator, 
the Concentrator advertises the IP address of the VPN Client through its private interface. When 
the tunnel is disconnected, the Concentrator will cease to advertise the route. RRI enables a 
central site device to connect to the client regardless of which Concentrator the VPN Client is 
attached to at the time. 
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After a VPN Client tunnel is established, the Concentrator can now add static or host routes to 
the routing table and announce these routes using OSPF or outbound RIP. There are two VPN 
Client applications within the RRI feature: client RRI and network extension RRI. (Address pool 
hold-down routes pertain to LAN-to-LAN applications and are not discussed in this lesson.) 
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neighbouring routers for path discovery Click an Generate Hold Dawa Routes ta generate hold dawn routes based on configured address pools 


Check to add non-local (to the private interface) client host routes to the 
routing table 

Network Extension o Check to add hardware client network extension connection routes to the 
Reverse Route Injection routing table 


Client Reverse Route Injection [7 


© Add or modify network address and subnet mask using the 
following standard format: nnaavnaain (¢.g 
192.168,90.64/255 255,255,192) 
Address Pool © Enter each network address and subnet mask pair on a single line. 
Hold Down Routes © Ifyou ate using the natural subnet mask, you may omit the 
subnet mask. 


La 


Apply | Cancel | Genetate Hold Down Routes | 
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The VPN Client RRI feature applies to all VPN software and Hardware Clients using Port 
Address Translation (PAT) mode. To enable it, go to the Configuration>System>IP 
Routing>Reverse Route Injection window and select the Client Reverse Route Injection check 


box. 


After the client tunnel is established, the Concentrator adds a host route to its routing table. The 
host route is advertised through the private interface providing OSPF, or outbound RIP is 
enabled on the private interface. The Concentrator deletes the route when the client disconnects. 
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Client RRI—Routing Table 
a Cisco.com 


Advertise Tunnel established Cisco VPN 3002 


10.10.10.11 Client mode 


y 


f N 
=< Internet 
10.0.1.5 192.168.1.5 — 10.10.10.11 


Clear Routes 


Tunnel Valid Routes: 4 


established ‘Address Mask _| Next Hop btierface [Protocol |Age (Metric 
0000 0000 192.168.1.6 2 Default 0 1 


WOD10N (255.255.2550 0000 1 Local (0 1 
10.10.1011 (255.255.255.255 |192.168.1.6 [2 Static (0 1 
192.168.1.0 |255.255.2550 0.000 i2 Locl 0 1 


‘Address Mask —_| Next Hop [Interface [Protocol {Age [Metric 
No 0000 {0000 192,168.16 |2 [Defautt [oO [i 
tunnel 10010 {255.2552550)0000 it [Loca [0 ft 
192.168.1.0 255.2552550/0000 [2 [Local fo fi 


In the example in the figure, Client RRI is enabled at the Concentrator and the Hardware Client 
is running in PAT mode. When the tunnel is launched, the Concentrator assigns the Hardware 
Client a virtual IP address: 10.10.10.11. Notice in the top routing table, 10.10.10.11 is listed and 
is advertised through the private interface on the Concentrator. When the tunnel is disconnected, 
the host entry is deleted from the routing table. Notice in the bottom routing table, the 
10.10.10.11 host route was deleted because the tunnel was dropped. 
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12-22 


Network Extension RRI 
ay | Cisco.com 


Advertise Tunnel established Cisco VPN 3002 Network 


host routes Extension mode 


“" ‘ 


- 
= Internet 


192.168.201.2 


Configure system-wide Reverse Route Injection parameters. This feature adds specific routes to the routing table for distribution via RIP or OSPF to 
neighbouring routers for path discovery. Click on Generate Hold Down Routes to generate hold down routes based on configured address pools 


Client Reverse Route Injection [7 Check to add non-local (to the private interface) client host routes to the 
routing table. 

Network Extension Check to add hardware client network extension connection routes to the 
Reverse Route Injection routing table. 


© Add or modify network address and subnet mask using the 
following standard format: nnatav/natan (e.g 
192.168.90.64/255.255.255.192) 

© Enter each network address and subnet mask pair on a single line 

© Ifyou are using the natural subnet mask, you may omit the 
subnet mask. 


Address Pool 
Hold Down Routes 


La] 
Cancel | Generate Hold Down Routes | 
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The Network Extension RRI feature applies only to a Hardware Client using Network Extension 
mode. To enable it, go to the Configuration>System>IP Routing> Reverse Route Injection 
window and select the Network Extension Reverse Route Injection check box. 


When the tunnel is established, the Concentrator adds host routes to its routing table. The host 
routes are advertised through the private interface providing OSPF, or outbound RIP is enabled 
on the private interface. The routes are deleted when the client disconnects. 
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Network Extension RRI—Routing 
Table 


ey Cisco.com 


Advertise Tunnel established Cisco VPN 3002 Network 


192.168.201.0 Extension mode 


 ——— = ionet 


10.0.1.5 192.168.1.5 


192.168.201.2 


Clear Routes 


Valid Routes: 4 


Tunnel 


established [_ Adiress Mask | Next Hop Interface [Protocol |Age [Metric 


| 09099 [000 {192.168.1.6 [2 Default 0 [1 
{ loo10 [2552552550/0000 if. Local [0 ft 
{ 192168.1.0 [255.2552550\0000 {2 Local (0 [1 
——> 192.168.2019 255.255.2550, {192 168.16 j2 Static 0 1 


| Address Mask | Next Hop |Inierface [Protocol |Age Metric 
No 0000 (0000 {192.168.1.6 [2 Defautt [0 {1 

tunnel 100.10 {255.2552550[0000 {1 Local [0 it 

192.168.1.0 (255.255.2550[0000 [2 Loca fo ft 


In the example in the figure, Network Extension RRI is enabled at the Concentrator, and the 
Hardware Client is running in network extension mode. When the tunnel is launched, the 
Concentrator adds a route for the network behind the Hardware Client, 192.168.201.0, and 
advertises it through the private interface (the top routing table). When the tunnel is 
disconnected, the network address entry is deleted from the routing table (the bottom routing 
table). 
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Summary 


This topic summarizes the information that was presented in this lesson. 


Summary 
ia | Cisco.com 


* The Concentrator can be configured to advertise 
routes as VPN Clients connect. 


° The VPN Client can be configured to connect to 
a backup Concentrator if the primary 
Concentrator is unavailable. 


¢ The Concentrators can be configured for load 
balancing to spread the connection load 
between co-located Concentrators. 
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Lab Exercise—Configuring Cisco VPN 3002 
Hardware Client Reverse Route Injection 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


Your task in this lab exercise is to install and configure the Cisco Virtual Private Network (VPN) 
3002 Hardware Client and configure the Cisco VPN 3000 Concentrator to enable IPSec 
encrypted tunnels. Work with your lab exercise partner to complete the following tasks: 


m Complete the lab exercise setup. 


m Configure the Cisco VPN 3000 Series Concentrator for Network Extension Reverse Route 
Injection. 


= Monitor the routing table in the Cisco VPN 3000 Series Concentrator with Network 
Extension Reverse Route Injection enabled. 


m Configure the Cisco VPN 3000 Series Concentrator for Client Reverse Route Injection. 
m Configure the Cisco VPN 3002 Hardware Client for client mode. 


= Monitor the Routing Table in the Cisco VPN 3000 Series Concentrator with Client Reverse 
Route Injection enabled. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


Cisco.com 


192.168.1PP.2 f- ‘ 


Student 
192.168.P.0 


Scenario 


Your company wants you to implement a VPN using remotely located Hardware Clients 
terminating at centrally located Concentrators. You want the IP address of the remote client to be 
advertised by the private interface of the Concentrator. 


Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify your equipment is setup as follows: 
m Ensure that your student PC is powered on. 
m Ensure that your student PC IP addresses are configured correctly: 


— Primary IP address—192.168.1PP.2 
(where PP = two-digit pod number [for example, Pod | is 01]) 


— Default gateway IP address—192.168.1PP.1 
(where PP = two-digit pod number) 


m= Ensure that your Concentrator is powered on. 
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m Ensure that your Hardware Client is powered on. 


Task 2—Configure the Cisco VPN 3000 Series Concentrator for 
Network Extension Reverse Route Injection 


Step 1 


Step 2 


Step 3 
Step 4 


Step 5 


Step 6 
Step 7 


Step 8 
Step 9 
Step 10 
Step 11 


Step 12 


Step 13 


With Network Extension Reverse Route Injection (RRI), the feature is enabled on the 
Concentrator. Once enabled, a new route is added to the routing table every time an IPSec tunnel 
is established. Complete the following steps to configure the Concentrator for Network 
Extension RRI: 

Launch Internet Explorer by double-clicking the desktop icon. 


Enter a Concentrator’s public interface IP address of 192.168.P.5 in the IP Address field of 
Internet Explorer (where P = pod number). The Connection/Login Status window opens. 


Click Connect Now to connect the IPSec tunnel. 


Complete the following sub-steps from the Hardware Client Interactive Authentication window: 


Note The following entries are case sensitive and should be entered in all lower case. 


1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Click Continue to establish the IPSec tunnel to the remote Concentrator. The Hardware 
Client Connection/Login Status window opens and is replaced by the Cisco VPN 3000 
Concentrator Series Manager. 


Log into the Concentrator using the administrator account: 
Login: admin 

Password: admin 

From the Monitoring menu tree, drill down to Routing Table. 


From the Monitoring>Routing Table window, answer the following question: 
Ql) ~~ What three routes are listed? 


A) 


From the Configuration menu tree, drill down to System>IP Routing>Reverse Route Injection. 
Select the Network Extension Reverse Route Injection check box and click Apply. 

Save the changes. 

Log out of the Concentrator. Do not close Internet Explorer. 


Enter a Hardware Client private interface (network extension mode) IP address of 192.168.1PP.1 
in the Internet Explorer Address field (where PP = double digit pod number). 


Log into the Hardware Client using the administrator account: 
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Login: admin 


Password: admin 


Both the username (login) and password are always case sensitive. 


Step 14 From the Monitoring menu tree, drill down to System Status. 


Step 15 Click Disconnect Now. It may take several moments for the Hardware Client to disconnect. 


Step 16 Log out of the Hardware Client. Do not close Internet Explorer. 


Task 3—Monitor the Routing Table in the Cisco VPN 3000 Series 
Concentrator with Network Extension Reverse Route Injection Enabled 


Step 1 


Step 2 
Step 3 


Step 4 


Step 5 
Step 6 


Complete the following steps to re-connect the IPSec tunnel and monitor the changes to the 
Concentrator’s routing table: 


Enter a Concentrator’s public interface IP address of 192.168.P.5 in the IP Address field (where 
P = pod number). The Connection/Login Status window opens. 


Click Connect Now to connect the IPSec tunnel. 


Complete the following sub-steps from the Hardware Client Interactive Authentication window. 


Note The following entries are case sensitive and should be entered in all lower case. 


1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Click Continue to establish the IPSec tunnel to the remote Concentrator. The Hardware 
Client Connection/Login Status window opens and is replaced by the Cisco VPN 3000 
Concentrator Series Manager. 

Log into the Concentrator using the administrator account: 

Login: admin 

Password: admin 

From the Monitoring menu tree, drill down to Routing Table. 


From the Monitoring>Routing Table window, answer the following question and fill in the 
blanks: 


Q2) What four routes are listed? 


A) 
Q3) With Network Extension RRI enabled, if the Hardware Client establishes an IPSec 
tunnel, a route is (added, deleted) to the routing table. When the IPSec 


tunnel is disconnected, the route is (added, deleted) from the routing 
table. 
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Step 7 


Do not log out of the Concentrator. 


Task 4—Configure the Cisco VPN 3000 Series Concentrator for Client 
Reverse Route Injection 


Step 1 
Step 2 
Step 3 
Step 4 
Step 5 
Step 6 
Step 7 


Step 8 


The IPSec tunnel from the Hardware Client to the Concentrator should still be established. 
Complete the following steps to configure the Concentrator for Client RRI: 


From the Configuration menu tree, drill down to System>IP Routing>Reverse Route Injection. 
Select the Client Reverse Route Injection check box. 

Deselect the Network Extension Reverse Route Injection check box. 

Click Apply. 

Save the changes. 

From the Monitoring menu tree, drill down to Routing Table. 


From the Monitoring>Routing Table window, answer the following question: 
Q4) — What three routes are listed? 


A) 


Log out of the Concentrator. Do not close Internet Explorer. 


Task 5—Configure the Cisco VPN 3002 Hardware Client for Client 


Mode 


Step 1 


Step 2 


Step 3 


Step 4 
Step 5 


Complete the following steps to configure the Hardware Client for Client Mode: 


Enter a Hardware Client private interface (network extension mode) IP address of 192.168.1PP.1 
in the Internet Explorer Address field. 


(where PP = two-digit pod number) 
Log into the Hardware Client using the administrator account: 


Login: admin 


Password: admin 
Both the username (login) and password are always case sensitive. 


In the main window, choose Configuration>Quick Configuration>PAT, and complete the 
following sub-steps: 


1. Select Yes. 
2. Click Continue. 


From the Quick Configuration toolbar, click Done. 


Log out of the Hardware Client. 
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Task 6—Monitor the Routing Table in the Cisco VPN 3000 Series 
Concentrator with Client Reverse Route Injection Enabled 


Complete the following steps to re-connect the IPSec tunnel and monitor the Concentrator’s 
routing table: 


Step 1 Enter a Concentrator’s public interface IP address of 192.168.P.5 in the IP Address field (where 
P = pod number). The Connection/Login Status window opens. 


Step 2. Click Connect Now to connect the IPSec tunnel. 


Step 3 Complete the following sub-steps from the Hardware Client Interactive Authentication window. 
These entries are all case sensitive. Use lower case. 


1. Enter studentP in the User Name field. 


(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Click Continue to establish the IPSec tunnel to the remote Concentrator. The Hardware 
Client Connection/Login Status window opens and is replaced by the Cisco VPN 3000 
Concentrator Series Manager. 
Step 4 Log into the Concentrator using the administrator account: 
Login: admin 
Password: admin 
Step 5 From the Monitoring menu tree, drill down to Routing Table. 
Step 6 From the Monitoring>Routing Table window, answer the following question and fill in the 


blanks: 


Q5) — What three routes are listed? (The Hardware Client assigned address is part of the 
10.0.P.0 network.) 


A) 


Note The Concentrator assigns an IP address to the Hardware Client during IPSec tunnel 
establishment. The assigned IP address is part of the 10.0.P.0 network. When viewing the 
routing table, the Hardware Client’s assigned address is part of the 10.0.P.0 address space 
and does not appear as a separate entry in the table. 


Q6) When the Client RRI is enabled, if the Hardware Client establishes an IPSec tunnel, a 


host route is (added, deleted) to the routing table. When the IPSec tunnel 
is disconnected, the host route is (added, deleted) from the routing 
table. 


Step 7 Log out of the Concentrator. 


Step 8 Enter a Hardware Client private interface (network extension mode) IP address of 192.168.1PP.1 
in the Internet Explorer Address field. 


(where PP = two-digit pod number) 
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Step 9 Log into the Hardware Client using the administrator account: 


Login: admin 


Password: admin 
Both the username (login) and password are always case sensitive. 


Step 10 From the Monitoring menu tree, drill down to System Status. 
Step 11 Click Disconnect Now. It may take several moments for the Hardware Client to disconnect. 


Step 12 Log out of the Hardware Client and close Internet Explorer. 
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Configure the Cisco Virtual 
Private Network 3002 Hardware 
Client for Software Auto-Update 


Overview 


This lesson includes the following topics: 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
Re MMMM ~|~S*S*é«SCO.com 


Upon completion of this lesson, you will be 
able to perform the following tasks: 


¢ Describe the Hardware Client software auto- 


update feature. 


¢ Configure the Hardware Client for software auto- 
update. 


¢ Monitor the Hardware Client software auto- 
update. 
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Overview and Configuration of the Cisco VPN 
3002 Hardware Client Software Auto-Update 
Feature 


This topic presents an overview of the Cisco Virtual Private Network (VPN) 3002 Hardware 
Client software auto-update feature. 


Hardware Client Software 
Auto-Update Feature 


Cisco.com 


Update 
notification 


TFTP software 
download 


Hardware Client update options 
¢ Group basis 
* Global basis 


Inc. All rights reserved. 


The Cisco VPN 3002 Hardware Client update feature enables administrators at a central location 
automatically update software for Hardware Clients deployed in diverse locations. When you 
enable Hardware Client update, upon connection, the central-site Cisco VPN Concentrator sends 
an Internet Key Exchange (IKE) packet that contains an encrypted message, which notifies the 
VPN 3002 about acceptable versions of executable system software and their locations. If the 
Hardware Client is not running an acceptable version, its software is automatically updated via 
TFTP. During the update process, the Hardware Client logs event messages at the start of the 
update. When the update completes, the Hardware Client reboots automatically. 


If the Hardware Client is already connected to the Concentrator, the administrator has the option 
of sending an update notification message. The update message notifies the Hardware Client 
about acceptable versions of software and their locations. If the Hardware Client is not running 
an acceptable version, its software is automatically updated via TFTP. The administrator may 
choose to update all the Hardware Client in their network all at once. Or, the administrator may 
choose to update VPN 3002s on a group-by-group basis. This lesson discusses both options. 
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Three-Step Group Update Process 


Cisco.com 


Check the box to enable Client Update functionality. 


Enabled [¥ 


Apply Cancel 


Add client update information 


Client 
Type 
URL fipTo011ovpra00e 40 Rorkabn ~~ Enter the URL of te file from which to update. The URL must point to 
an appropriate file type for the client. 
Sua Enter a comma separated list of valid revisions. The URL above must 
Revisions [4.01 Release 
be one of these revisions 


cme 


[ypn3002 Enter the client type (¢.g, windows or vpn3002) that is to be updated 


® The connected clients in that group will receive a notice that they need to update their software. 


Continue 
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Configuring the Hardware Client software auto-update feature is a three-step process: 


Step 1 Enable Hardware Client update functionality on the Concentrator. 


Step 2 Set the group update parameters (for example, Hardware Client and Software Client type, URL, 


and revisions). 


Step 3 (Optional.) Send an update notice to active clients. Update notice is explained later in this lesson. 
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Step 1—Enable the Software 
Auto-Update Feature 


ey Cisco.com 


This section of the Manager lets you configure Client Update. 
In the left frame, or in the list of links below, click the function you want 


Enable -- enable Client Update 
© Entries - configure the client type and URL entries for Client Update 


Check the box to enable Client Update functionality. 


Enabled [(V 


Apply Cancel 


Complete the following steps to enable the auto-update feature: 

Step 1 Choose the Configuration>System>Client Update window and click the Enable link. The 
Configuration>System>Client Update>Enable window opens. 

Step 2. Select the Enabled check box. 

Step 3 Click Apply. 
When enabled, the administrator must decide how to update the Cisco VPN clients: globally or 
by group. With a global update, all clients will be updated to a specific release of software from 
a specific server. If a more systematic, group-by-group approach is preferred, different servers 


can update different groups, at different times, to different releases of software. There is further 
discussion of global and group configurations later in the lesson. 
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Modifying Group Updates 
MMMM ~~SS!S*S*«SCOWcom 


group parameters, select a group and click the appropnate button. 


Actions Current Groups 


training (Internally Configured) 


Add Group 
Modify Group 
Delete Group 


This section lets you configure groups. A group is a collection of users treated as a single entity. 


Click the Add Group button to add a group, or select a group and click Delete Group or Modify Group. To modify other 


Authentication Servers 
Authorization Servers 
Accounting Servers 
Address Pools 
Client Update —— 
Bandwidth Assignment 


Save Neededf) 


Modify 
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When updating the Hardware Client, the administrator must decide whether a system-wide 
update or a systematic update is in order. Complete the following steps to configure a group 


update: 
Step 1 
in the Current Groups field. 
Step 2 Click Client Update in the Modify column. 
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Choose the Configuration>User Management>Groups window and select the appropriate group 
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Step 2—Set the Group Update 
Parameters 


Cisco.com 


Save Needed 
This section lets you configure Clent Update entries, 
Click the Add button to add an entry, or select an entry and click Modify or Delete. Click Done to finish. 


Client Update entries for training 
Update Entry Actions 


i— Empty — 


Add client update information. 


Client 
Type 


[ypn3002 Enter the client type (¢.g, windows or vpn3002) that is to be updated 


Enter the URL of the file from which to update. The URL must point to 


WW 2-4.0.1 Rerk 
URL ttpi//10.0.1.10/pn3002-4.0.1,Retk3.bin an appropriate file type for the client. 


Enter a comma separated list of valid revisions. The URL above must 
be one of these revisions 


Revisions [4.01 Release| 


Add Cancel 


In the previous step, the administrator selected the Client Update button. In this step, the 
administrator configures group-specific VPN Client auto-update parameters. Choose the 
Configuration>System>Client Update>Entries window to view the Client Update Entries list. 
Because no updates have been configured, the list displays Empty. Click Add under the Actions 
column to add a new VPN Client update entry. The Manager opens the Configuration> 
System>Client Update>Entries>Add window. The entries are as follows: 


m Client Type—For the VPN 3002, the entry must be vpn3002 (case- and space-sensitive). 


m= URL—The format is tftp://server_address/directory/filename. The server address can be 
either an IP address or a hostname if you have configured a DNS server (for example, 
tftp://10.0.1.10/vpn3002-4.0.1.Rel-k9.bin, where 10.0.1.10 is the server address and 
vpn3002-4.0.1.Rel-k9.bin is the filename on the TFTP server). 


m Revisions—Enter a comma-separated list of software images appropriate for the Hardware 
Client (for example, 4.0.1 Release). The entries are case sensitive. The Hardware Client 
considers 4.0.1 Release and 4.0.1 release different versions of software. 


If the VPN Client is already running a software version on the list, it does not need a software 
update. If the Hardware Client is not running a software version on the list, an update is needed. 
The Hardware Client software is automatically updated via TFTP. 
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Group Update Entries 
MMMM ~S!*é<“‘«é‘ CSCW 


Save Neededfy 
This section lets you configure Client Update entries. 


Click the Add button to add an entry, or select an entry and click Modify or Delete. 
Click Done to finish. 


Client Update entries for training 
Update Entry Actions 
vpn3002 (4.01 Release) 
Add 


Modify 
Delete 
Done 
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The Configuration>User Management>Groups>Client Update window displays the entries for 
the training group. Each entry shows the platform and acceptable software version. In the 
example in the figure, vpn3002 (4.01 Release) is listed; vpn3002 is the Hardware Client type, 
and 4.01 Release is the preferred software revision. 
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Step 3—Send an Update Notice 


Cisco.com 


This section of the Manager lets you update software on the VPN 3000 Concentrator or clients 
In the left frame, or in the list of links below, click the function you want: 


centrator - update the VPN 3000 Concentrator software 
© Clients -- update hardware and software clients 


This screen allows you to update software on clients. Select a group to only update clients in that group. 
Please refer to your product documentation to determine which versions of the software client support this feature. 


Group | training | 


Upgrade Clients Now | Cancel | 


) The connected clients in that group will receive a notice that they need to update their software 


Continue 
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The last step is to send an optional update notification to the Hardware Client: 


Step 1 Choose the Administration>Software Update window, and click the Clients link. The 
Administration>Software Update>Clients window opens. 


Step 2 Choose the Hardware Client group for this update from the Group drop-down menu. The default 
is All, which lets you update the software for all groups. The Concentrator updates VPN clients 
by group, in batches of ten, at five-minute intervals. 


Step 3. Click Upgrade Clients Now to send the update notification. If sent successfully, the Success 
window opens. 


In the example in the figure, the training group is selected to get an update notification. When 
the user clicked Upgrade Clients Now, the Success window opened. The connected VPN 
Clients in the training group will receive an update notification message. This is a proactive, 
forceful attempt to update clients without waiting for the client to drop the IPSec tunnel and 
reconnect. This process may be necessary in cases where an update is immediately required for 
functionality, for security reasons, or for clients that have “always on” connections. The 


disconnected members of the training group will receive an update message the next time they 
connect to the Concentrator. 


Copyright © 2005, Cisco Systems, Inc. Configure the Cisco VPN 3002 Hardware Client for Software Auto-Update 13-9 


Step 1 


Step 2 


Step 3 


Global Update Parameters 
ay | Cisco.com 


This section lets you configure Client Update entries 
Click the Add button to add an entry, or select an entry and click Modify or Delete. 


Client Update Entries 
Actions 


|Add client update information, 


Client 
Type 


ivpn3002 Entes Save Neededb 


URL fife 7/10.01.10/vpn3002-40.1 RerObin oe This section lets you configure Client Update entries. 


ay 
Enter| lick the Add button to add an entry, or select an entry and click Modify or Delete 


bec Client Update Entries 


Cancel Update Entry Actions 


ivpn3002 (401 Release) 


Revisions [401 Release] 


Parameters can be updated on a global basis. With global updates, all groups upgrade to the 
same software from the same TFTP server. Complete the following steps to define global update 
parameters: 


Choose the Configuration>System>Client Update>Entries window, and click Add. The 
Configuration>System>Client Update>Entries>Add window opens. 


Configure the global VPN Client type, URL, and revision number by entering the information in 
the corresponding fields. 


Click Apply. The final results are viewable in Configuration>System>Client Update>Entries 
window. 


In the example in the figure, the VPN Client type is the VPN 3002. The Hardware Client 
software file vpn3002-4.0.1.Rel-k9.bin is available for download from the TFTP server 
10.0.1.10. The valid revision level is set to 4.01 Release. This information can be sent to a 
specific group, or all groups. Choose the Administration>Software Update>Clients window to 
send the update notification message. 
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Monitoring the Cisco VPN 3002 Hardware Client 
Software Auto-Update Feature 


When the update notification is sent, the administrator can monitor the status of the upgrade on 
the Hardware Client. 


Hardware Client Filterable Event Log 
Se Cisco.com 


Up-to-date 


Select Filter Options Not up-to-date 


Event Class All Classes «| Severities 
AUTH 


AUTHDBG 


JAUTHDECODE >| Select Filter Options 

Client IP Address |0.0.0.0 Events/Page 
ee AUTHDBG 

Direction Oldest to Newest + AUTHDECODE =] x 


Event Class All Classes «| Severities 
AUTH a 


ea | <a >> > GetLog ClearLog Client IP Address |0.0.0.0 Events/Page |100 ~] 


Direction Oldestto Newest ] 


Hd | <q] be] pri] GetLog | Clearlog 


18 03/05/2002 13:15:33.750 SEV=4 AUTOUPDATE/5 RPT=1 

Current version 3.5.1.Rel is up to date. 
18 03/06/2002 08:24:24.760 SEV=4 AVTOUPDATE/6 RPT=1 
cu e 3 joes not match 3.5.1.Rel. 


19 03/06/2002 08:24:24.760 SEV=4 AUTOUPDATE/7 RPT=1 


Kea | <q] pp | opp Updating firmware to 3.5.1.Rel from 3.5.2.Rel. 


20 03/06/2002 08:24:24.760 SEV=4 AUTOUPDATE/12 RPT=1 
Update firmvare vill now begin using file vpn3002-3_5_2_Rel-k9.bin on server 
0.1.10 [Oa000104) . 


36 03/06/2002 08:25:36.180 SEV=4 AUTOUPDATE/18 RPT=1 
mage was successfully downloaded. The unit will now reboot 


In the Monitoring>Filterable Event Log window, the administrator can view the Hardware Client 
update information. To only view the update-specific information, scroll down in the Event 
Class window and select AUTOUPDATE. In the example in the figure, there are two versions. 
In the event log on the left, the Hardware Client received a notification message. The software 
version on the Hardware Client is up to date. No upgrade was necessary. 


In the event log on the right, the Hardware Client software version does not match the software 
version in the notification message. The Hardware Client software is updated from 3.5.1.Rel to 
3.5.2.Rel. The software file vpn3002-3_ 5 2 Rel-k9.bin is downloaded from the TFTP server 

10.0.1.10. The image was successfully loaded and the Hardware Client automatically rebooted. 


The Hardware Client stores image files in two locations: the active location, which stores the 
image currently running on the system, and the backup location. Updating the image overwrites 
the stored image file in the backup location and makes it the active location for the next reboot. 
The client auto-update process includes a test to validate the updated image. In the unlikely 
event that a VPN Client auto-update is unsuccessful, the VPN Client does not reboot, and the 
invalid image does not become active. The auto-update feature retries up to twenty times at 
three-minute intervals. If an auto-update is unsuccessful, the log files contain information 
indicating TFTP failures. 
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13-12 


Release Is Case Sensitive 


Cisco.com 


Select Filter Options 


Event Class |All Classes | Severities 
AUTH a 
AUTHDBG 2 
AUTHDECODE | 3 


Client IP Address |0.0.0.0 Events/Page |100 ¥ 


Direction Oldest to Newest 


lea | «| p> | pri | GetLog | Clear Log | 


18 03/05/2002 13:34:10.510 SEV=4 AUTOUPDATE/6 RPT=1 
Current version 3.5.2.Rel does not match 3.5.2.rel. 


19 03/05/2002 13:34:10.510 SEV=4 AUTOUPDATE/7 RPT=1 
Updating firmware to 3.5.2.rel from 3.5.2.Rel. 


20 03/05/2002 13:34:10.510 SEV=4 AUTOUPDATE/12 RPT=1 
Update firmvare will now begin using file vpn3002-3_5 2 Rel-k9.bin on server 10. 
0.1.10 [0A000104) . 


Mea) aj >| vo 


2003, Cisco Systems, Inc. All rights reserved. 
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The auto-update event log messages are used to troubleshoot the Hardware Client software 
upgrade. In the example in the figure, the administrator misspelled the software version number, 
3.5.2.rel. The proper, case-sensitive spelling is 3.5.2.Rel. The software version is case and space 
sensitive. In this example, every time a notification message is sent or the Hardware Client 
reconnects to the Concentrator, an update takes place. 
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Summary 


This topic summarizes the information that was presented in this lesson. 


Summary 
aa | | Cisco.com 


¢ Hardware Client operating software can be updated 
automatically. 


¢ The auto-update feature is configured in the 
Concentrator. 


¢ Update notification is sent to the Hardware Client 
automatically at connection time or manually by the 
administrator. 


¢ If the Hardware Client release version in the notification 
message does not match the Hardware Client running 
version, the Hardware Client upgrades its software. 
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Lab Exercise—Configure the Cisco VPN 3002 
Hardware Client Auto-Update Feature 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


Your task in this lab exercise is to install and configure the Cisco Virtual Private Network (VPN) 
3002 Hardware Client and the Cisco VPN 3000 Series Concentrator to enable IPSec encrypted 
tunnels. Work with your lab exercise partner to complete the following tasks: 

= Complete the lab exercise setup. 

™ Configure the Cisco VPN 3002 Hardware Client auto-update feature. 

= Automatically update the Cisco VPN 3002 Hardware Client system software. 

m= Edit the auto-update revisions field. 


m Force the Cisco VPN 3002 Hardware Client to automatically update its software. 


m Disable the Cisco VPN 3002 Hardware Client auto-update feature. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


Cisco.com 


>). 192.168.1PP.0 
192.168.1PP.2 i—- 


Student 
192.168.P.0 


Concentrator 


Scenario 


Your company wants you to implement an automatic update strategy for your remotely located 
Hardware Clients. You must configure the Concentrator to use the Hardware Client auto-update 
feature. You must monitor the auto-update to make sure it was completed successfully. 


Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify your equipment is setup as follows: 
m Ensure that your student PC is powered on. 
m Ensure that your student PC IP addresses are configured correctly: 


— Primary IP address—192.168.1PP.2 
(where PP = two-digit pod number [for example, Pod | is 01]) 


— Default gateway IP address—192.168.1PP.1 
(where PP = two-digit pod number) 


m= Ensure that your Concentrator is powered on. 
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m Ensure that your Hardware Client is powered on. 


m Ensure that the Trivial File Transport Protocol (TFTP) server is loaded with the correct 
version of the Hardware Client operating software. 


Your instructor will provide you with the correct username and password to log into the student 
PC. 


Task 2—Configure the Cisco VPN 3002 Hardware Client Auto-Update 


Feature 


Step 1 
Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 
Step 8 
Step 9 
Step 10 
Step 11 


Complete the following steps to configure the Hardware Client auto-update feature: 


Note This procedure assumes that Windows 2000 is already running on the student PC. 


Launch Internet Explorer by double-clicking the desktop icon. 


Enter a Concentrator’s public interface IP address of 192.168.P.5 in the Internet Explorer 
Address field (where P = pod number). The Connection/Login Status window opens. 


Click Connect Now to connect the IPSec tunnel. 
Complete the following sub-steps from the Concentrator Interactive Authentication window: 
These entries are all case-sensitive. Use lower case. 


1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


3. Click Continue to establish the tunnel to the remote Concentrator. The Hardware Client 
Connection/Login Status window will appear and then be replaced by the Cisco VPN 3000 
Concentrator Series Manager. 


Log into the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 
Login: admin 
Password: admin 


The username (login) and password are always case sensitive. 


From Configuration menu, drill down to System>Client Update. The Configuration>System> 
Client Update window opens. 


Select Enable. The Configuration>System>Client Update>Enable window opens. 
Verify the Enabled check box is selected. 

Click Apply. 

From Configuration menu, drill down to User Management>Groups. 


Choose training from the Current Group list. 
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Step 12 


Step 13 
Step 14 


Step 15 
Step 16 


Click Client Update. The Configuration>User Management>Groups> Client Update window 
opens. 


Click Add. The Configuration>User Management>Groups>Client Update>Add window opens. 


Complete the following sub-steps from the Configuration>User Management> Groups>Client 
Update>Add window: 


1. Enter vpn3002 in the Client Type field. 

2. Enter tftp://10.0.P.10/vpn3002-4.0.1.Rel-k9.bin in the URL field. 
3. Enter 4.0.1.Rel in the Revisions field. 

4. Click Add. 


Save the changes. 


Logout of the Concentrator and do not close Internet Explorer. 


Task 3—Automatically Update the Cisco VPN 3002 Hardware Client 
System Software 


Step 1 


Step 2 


Step 3 
Step 4 


Step 5 


Step 6 


During tunnel establishment, the Concentrator sends a message to the Hardware Client that a 
specific revision of operating software is required. If the revision in the message matches the 
current operating software, the event log will log the event. The Hardware Client will not try to 
update the system software. Complete the follow steps to receive an auto-update message: 


Enter a Hardware Client private interface (Client mode) IP address of 192.168.1PP.1 in the 
Internet Explorer Address field. 


(where PP = two-digit pod number) 


Log into the Hardware Client using the administrator account: 
Login: admin 
Password: admin 


Both the username (login) and password are always case sensitive. 


From the Monitoring menu, drill down to System Status. 
Click Disconnect Now. It takes several moments for the Hardware Client tunnel to disconnect. 


Click Connect Now to connect the tunnel. The Hardware Client Interactive Authentication 
window opens. 


Complete the following sub-steps from the Hardware Client Interactive Authentication window: 


Note These entries are all case-sensitive. Use lower case. 
1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 
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Step 7 


Step 8 
Step 9 


Step 10 


Step 11 
Step 12 


Click Continue to establish the tunnel to the remote Concentrator. It takes several moments for 
the IPSec tunnel to connect. 


From the Monitoring menu, drill down to Filterable Event Log. 
Complete the following sub-steps from the Monitoring>Filterable Event Log window: 
1. Choose Auto Update from the Event Classes list. 


2. Click |<< to retrieve the log. Repeat as needed until you see the auto-update event message. 


Answer the following question from the event log: 
Q1) Is the current version of the Hardware Client software up to date? 


A) 


Click Clear Log after you finish viewing the Filterable Event Log. 


Logout of the Hardware Client and do not close Internet Explorer. 


Task 4—Edit the Auto-Update Revisions Field 


Step 1 


Step 2 


Step 3 
Step 4 
Step 5 


Step 6 
Step 7 


Step 8 


Step 9 


In the last task, no update was performed since the Hardware Client software was up to date. In 
this task, you will edit the revision field to force an update. Complete the follow steps to modify 
the revision field: 


Enter a Concentrator’s public interface IP address of 192.168.P.5 in the Internet Explorer 
Address field (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 
Concentrator Series Manager. 


Log into the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 
Login: admin 
Password: admin 


The username (login) and password are always case sensitive. 


From Configuration menu, drill down to User Management>Groups. 
Choose training from the Current Group list. 


Click Client Update. The Configuration>User Management>Groups> Client Update window 
opens. 


Select vpn3002 (4.0.1.Rel) from the Update Entry column. 


Click Modify. The Configuration>User Management>Groups>Client Update> Modify window 
opens. 


Complete the following sub-steps from the Configuration>User Management> Groups>Client 
Update>Modify window: 


1. Inthe Revisions field, change the field to read 4.0.0.Rel. (In this case, you will force an 
update since the Hardware Client current release, 4.0.0.Rel, does not match the download 
update release name, 4.0.1.Rel.) 


2. Click Apply. 


Save the changes. 
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Step 10 


Log out of the Concentrator and do not close Internet Explorer. 


Task 5—Force the Cisco VPN 3002 Hardware Client to Automatically 
Update its Software 


Step 1 


Step 2 


Step 3 
Step 4 


Step 5 


Step 6 


Step 7 


Step 8 
Step 9 


Step 10 


During tunnel establishment, the Concentrator sends an update message to the Hardware Client 
that a specific revision of operating software is required. In the prior task, you modified the 
revision name. This will force the Hardware Client to update its operating software. Complete 
the follow steps to force a software update: 


Enter a Hardware Client private interface (Client mode) IP address of 192.168.1PP.1 in the 
Internet Explorer Address field. 


(where PP = two-digit pod number) 
Log into the Hardware Client using the administrator account: 


Login: admin 


Password: admin 

Both the username (login) and password are always case sensitive. 

From the Monitoring menu, drill down to System Status. 

Click Disconnect Now. It takes several moments for the Hardware Client tunnel to disconnect. 


Click Connect Now to connect the tunnel. The Hardware Client Interactive Authentication 
window opens. 


Complete the following sub-steps from the Hardware Client Interactive Authentication window. 


Note These entries are all case sensitive. Use lower case. 
1. Enter studentP in the User Name field. 
(where P = pod number) 


2. Enter studentP in the Password field. 
(where P = pod number) 


Click Continue to establish the tunnel to the remote Concentrator. It takes several moments for 
the Hardware Client tunnel to connect. 


From the Monitoring menu, drill down to Filterable Event Log. 

Complete the following sub-steps from the Monitoring>Filterable Event Log window: 

1. Choose Auto Update from the Event Classes list. 

2. Click << to retrieve the log. Repeat as needed to see all of the auto-update messages. 


Answer the following questions and fill in the blanks from the Event log: 


Q2) Does the Hardware Client’s current version of software match the downloaded request? 


A) 
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Q3) 


Q4) 


Q5) 


Q6) 


Q7) 


Step 11 Log 


The Hardware Client will upgrade its software to version from version 


Which file will the Hardware TFTP download? 


A) 
What is the IP address of the TFTP server? 


A) 


Was the updated image successfully downloaded? 


A) 


The update process took approximately how many minutes? 


A) 


out of the Hardware Client and do not close Internet Explorer. 


Task 6—Disable the Cisco VPN 3002 Hardware Client Auto-Update 


Feature 


Complete the following steps to disable the Hardware Client auto-update feature: 


Step 1 Enter a Concentrator private interface IP address of 192.168.P.5 in the Internet Explorer Address 
field (where P = pod number). The Connection/Login Status window opens. 


Step 2. Click Connect Now to connect the tunnel. 


Step 3. Complete the following sub-steps from the Hardware Client Interactive Authentication window. 


Note These entries are all case sensitive. Use lower case. 


Enter studentP in the User Name field. 
(where P = pod number) 


Enter studentP in the Password field. 
(where P = pod number) 


Note When re-establishing the IPSec tunnel, the Concentrator sends an update message to the 


3 


Step4 Log 


Hardware Client. You have approximately 2 minutes after clicking Continue to disable the 
Client Update feature before the Hardware Client performs another update and re-boot. If you 
miss the 2-minute window, wait for the Hardware Client to re-boot, and then try to complete 
the disable commands again. 


Click Continue to establish the tunnel to the remote Concentrator. The Hardware Client 
Connection/Login Status window opens and is then replaced by the Cisco VPN 3000 
Concentrator Series Manager. 


into the Concentrator using the administrator account: 
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Login: admin 
Password: admin 


Step 5 From Configuration menu, drill down to System>Client Update. The Configuration>System> 
Client Update window opens. 


Step 6 Select Enable. The Configuration>System>Client Update>Enable window opens. 
Step 7 Deselect the Enabled check box. 

Step 8 Click Apply. 

Step 9 From Configuration menu, drill down to User Management>Groups. 

Step 10 Choose training from the Current Group list. 


Step 11 Click Client Update. The Configuration>User Management>Groups> Client Update window 
opens. 


Step 12 Select vpn3002 (4.0.0.Rel) from the Update Entry column, and then click Delete. 
Step 13 Click Done. 
Step 14 Save the changes. 


Step 15 Log out of the Concentrator and close Internet Explorer. 


Lab 13-8 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Configuring the Cisco Virtual 
Private Network 3000 Series 
Concentrator for [PSec over 
UDP and [IPSec over TCP 


Overview 


This lesson includes the following topics: 
m Objectives 

m Overview of Port Address Translation 
= Configuring IPSec over UDP 

= Configuring NAT Traversa i 

m Configuring IPSec over TCP 

= Monitoring session statistics 


m= Summary 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
Re MMMM ~~SOS!S*S*«SCO.com 


Upon the completion of this lesson, you will be 
able to perform the following tasks: 


¢ Describe how address translation works at the port level. 
¢ Explain the IPSec address translation issue. 


¢ Describe the three Concentrator translation options. 
¢ Configure the Concentrator for IPSec over UDP. 

¢ Configure the Concentrator for NAT Traversal. 

¢ Configure the Concentrator for IPSec over TCP. 

¢ Monitor session statistics. 
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Overview of Port Address Translation 


This topic presents an overview of Port Address Translation (PAT). 


NAT 


ee | Cisco.com 


Remote office Corporate office 


Application 
server 


NAT 


192.168.1.5 205.151.254.10 


CSVPN 4.0—14-4 


Before IPSec over UDP or IPSec over TCP is discussed, the issues surrounding IPSec through 
PAT or Network Address Translation (NAT) devices must first be discussed. 


Internet Assigned Numbers Authority (IANA) created nonroutable private address space: 
m Class A 10.0.0.0 to 10.255.255.255 
m Class B 172.16.0.0 to 172.31.255.255 


m Class C 192.168.0.0 to 192.168.255.255 


Nonroutable private address space gives companies more addresses to use within their 
companies, such as the company Intranet. These private addresses are easily routed within the 
company space. The issue is how does a company route the information between campuses or 
companies over the Internet. These addresses are not globally unique; the Internet cannot route 
them. Only globally unique addresses can be routed through the Internet. NAT enables 
nonroutable address space to be translated into routable, globally unique addresses. A NAT 
device translates a nonroutable address into one of the globally unique addresses assigned to the 
company. The newly addressed frame is routable through the Internet. 


In the example in the figure, at the remote end, the PC has been assigned a nonroutable address 
space of 192.168.1.5. The end-user wants to communicate with the corporate server at a different 
location. The frame must travel through the Internet to travel between sites. Unfortunately, with 
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the current private addressing scheme, the frame cannot be routed through the Internet. The issue 
is solved by first sending the frame to a NAT device. By using a NAT device, the nonroutable 
address can be translated into a routable address of 205.151.254.10. The frame is now routable 
and is sent through the Internet. The corporate applications server receives the data, formulates a 
response, and returns a response to 205.151.254.10, the NAT device. The NAT device translates 
the frame address from 205.151.254.10 back to 192.168.1.5. 


NAT works on a one-for-one relationship: one nonroutable address in, and one routable address 
out. A problem develops when the company has a large number of nonroutable source addresses 
that need to translate into a finite number of Class C routable addresses. The routable address 


pool may soon dry up. 
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NAT (cont.) 
Se Cisco.com 


Remote office Corporate office 


Application 
server 


192.168.1.5 


192.168.1.6 
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The challenge comes in when there are multiple devices at the remote end. In the example in the 
figure, there are two computers with separate nonroutable addresses of 192.168.1.5 and 
192.168.1.6. Both devices need to talk to the application server through a Network Address 
Translation (NAT) device. The issue is there is only one available globally unique IP address. 


In the first instance, 192.168.1.5 sends a message to the NAT device, which translates the source 
address from 192.168.1.5 to 205.151.254.10. The message is routed through the Internet. The 
corporate application server receives the message, formulates a response, and sends a reply back 
to 205.151.254.10 address, the NAT device. The NAT device in turn translates the routable 
address back to 192.168.1.5. 


When the second of the two PCs tries to send a frame, 192.168.1.6 sends a message to the 
application server. The PC forwards the frame to the NAT device, which translates the source 
address from 192.168.1.6 to 205.151.254.10. The message is sent through the Internet. The 
corporate application server receives the message, formulates a response, and sends a reply via 
the 205.151.254.10 address. The NAT device will be confused. Who is the recipient of the 
frame, PC one, or PC two? The NAT device cannot differentiate between the two remote PCs. 


This is where a PAT device fits. 
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PAT 
LL 


Remote office Corporate office 


Application 
server 


192.168.1.5 205.151.254.10 
- Port 10000 — Port 600 


192.168.1.6 205.151.254.10 
- Port 10000 — Port 601 
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Port Address Translation (PAT) works at the TCP and UDP port level. It enables multiple 
devices to be multiplexed over one globally unique IP address. Each time the PAT device 
receives a frame; it translates the frame into an IP address and a port number. A unique port 
number supports each device. One IP address can support multiple devices using different port 
numbers for each device. 


In the example in the figure, during the first instance, the first PC, 192.168.1.5, sends a message 
to the PAT device, which translates the address from 192.168.1.5 port 10000, to 205.151.254.10 
port 600. The message is routed through the Internet. The corporate application server receives 
the message, formulates a response, and sends a reply via the 205.151.254.10 port 600. The PAT 
device receives the message and in turn translates the response address back to 192.168.1.5 port 
10000. 


In the next instance, the second PC, 192.168.1.6, sends a message to the PAT device, which 
translates the address from 192.168.1.6 port 10000, to 205.151.254.10 port 601. The message is 
sent through the Internet. The corporate application server receives the message, formulates a 
response, and sends a reply via 205.151.254.10 port 601. The PAT device receives the message 
and translates the response from 205.151.254.10 port 601, to 192.168.1.6 port 10000. In this 
case, the information is sent to the second PC. The UDP port numbers, 600 and 601, are used to 
differentiate between unique remote devices. 
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PAT (cont.) 
ee Cisco.com 


Remote office Corporate office 


Application 
server 


Source Address Port# Source Address Port # 
192.168.1.5 205.151.254.10 
192.168.1.6 205.151.254.10 
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Within the Port Address Translation (PAT) devices, there is a translation table that is used to 
translate between nonroutable and routable IP addresses. In the example in the figure, a remote 
PC needs to send a message to the corporate office. To do so, the remote office sends the 
message to the PAT device. In the PAT device is a translation table. The fist entry in the table 
dictates that a nonroutable address and port number of 192.168.1.5 port 10000 should be 
translated into a routable IP address and port number of 205.151.254.10 port 600. When 
translated, the PAT device forwards the message to the corporate office. 


PAT works well, but there is an issue with Virtual Private Network (VPN) applications. 
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IKE and UDP Issue 
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There are many situations where customers require a Cisco VPN Client to operate in an 
environment where standard Encapsulating Security Payload (ESP) (Protocol 50) or User 
Datagram Protocol (UDP) 500 Internet Key Exchange (IKE) can either not function, or not 
function transparently (without modification to existing firewall rules). VPN uses IKE for tunnel 
setup and Security Association (SA) negotiations. IKE uses UDP so a nonroutable IP address 
and port number can be translated into a routable public address and port number. PAT can 
translate IKE packets using its inherent UDP port number. The problem arises when the VPN 
device tries to get the IPSec session established. IPSec uses ESP encapsulation protocol. ESP 
does not use UDP port numbers. The PAT method of translating UDP port numbers does not 
work with IPSec. The translating device drops the IPSec frame. 


Situations where standard ESP or UDP 500 does not work include the following: 
= Asmall home office router performing PAT. 
m PAT-provided IP address behind a large router. This could exist if a service provider 


provides non-public addresses to clients and then performs port address translation. This 
scenario is identical to that documented above. 
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IPSec over UDP—Proprietary 
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Cisco has created a proprietary fix to solve the IPSec PAT translation issue. By default, in the 
Cisco VPN 3000 Series Concentrator a standard IPSec datagram is wrapped in ESP and IP with 
no UDP port number. If the frame must traverse a NAT device, the Concentrator can be 
programmed to add a UDP header between the outer IP address and the ESP header. After the 
configuration change, when the datagram arrives at the PAT device the datagram address can be 
translated due to the UDP encapsulation. 


IPSec over UDP is negotiated during tunnel establishment. During tunnel negotiations, if 
enabled in both the Cisco VPN Client and the Concentrator, IPSec is wrapped in UDP for the 
duration of the tunnel. This is configured on a group-by-group basis. Those groups whose frames 
traverse a NAT device can be configured to support IPSec over UDP. All other groups can be 
left at the default, with IPSec over UDP disabled. Some groups may require IPSec over UDP, 
while other groups may not. 
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NAT Traversal—Standards-Based 
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Network Address Translation Traversal (NAT-T) is a standard-based IPSec over UDP solution. 
NAT-T performs two tasks: detects if both ends support NAT-T and detects intermediate NAT 
devices along the transmission path. During IKE phase 1, the client and IPSec gateway exchange 
Vendor Identification (VID) packets. A NAT-T VID must be sent and received by both ends in 
order for the NAT-T negotiations to continue. 


Next, NAT-Discovery (NAT-D) payloads are exchanged. The second task of NAT-T is to 
determine if there are any NAT devices along the transmission path. Intervening NAT devices 
will change the IP address or port numbers of the data packets. NAT-Discovery (NAT-D) 
payloads are exchanged to determine if there are any IP address or port number changes. There 
are two NAT-D payload packets sent in each direction. Each NAT-D payload is a hash of the 
original IP address and port number; one NAT-D packet for the source IP address and port 
number, and another for destination IP address and port number. After receiving the NAT-D 
packets, both ends compare the received address and port number with the hashed NAT-D 
payloads. If they match, there are no NAT devices along the transmission path. If they do not 
match, a NAT device translated either the IP address or port address. NAT-T should be 
performed. The IPSec packet is wrapped in a UDP packet with a port address of 4500. 


In the example in the figure, the Cisco VPN Client and Concentrator exchange NAT-T VID 
packets. Both ends support NAT-T, the NAT-T negotiations continue. In packets two and three, 
both ends exchange NAT-D payloads. After comparing the NAT-D hashed IP address and port 
number with the IKE packet IP address and port number, the IP addresses and port numbers do 
not match. The IKE packet address was modified as the packet transited the NAT device. As a 
result, both ends change the UDP port number to 4500. The remaining IPSec packets are 
wrapped in a UDP header using port number 4500, NAT-T encapsulation. If both IPSec over 
UDP and NAT-T are enabled, NAT-T takes precedence. 
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A third type of transparent tunneling support is IPSec over TCP. Concentrator devices support 


IPSec over UDP, NAT-T, or IPSec over TCP. With IPSec over TCP, there is no room for 


negotiation like there is in IPSec over UDP. IPSec over TCP packets are encapsulated from the 


start of the tunnel establishment cycle. From the very beginning, all traffic to the Concentrator is 
encapsulated in TCP. At the point in which IKE would normally negotiate the use of IPSec over 
UDP, IPSec over TCP is already active. In the Concentrator and the Cisco VPN Clients, IPSec 

over TCP takes precedence over both NAT-T and IPSec over UDP. 


The goal of IPSec over TCP is to allow the Cisco VPN Clients to operate in the environments by 
using TCP to encapsulate both IKE and ESP. This takes advantage of the known fact that most 


firewalls allow outgoing TCP traffic and the inbound packets associated with the outbound 


connection. Using TCP is preferred over UDP through firewalls since state can be maintained for 
TCP packets resulting in higher security. The TCP implementation defaults to port 10000, but 
does not restrict the ability for the administrator to configure the Cisco VPN Client to listen on 


different ports. 


Although TCP will be used to encapsulate IKE and IPSec, this feature is not intended to provide 


the reliability found in a fully deployed TCP implementation. The application layer (IKE) 


already provides much of the reliability needed. 
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There are three IPSec through NAT applications: IPSec over UDP, NAT-T, and IPSec over TCP. 
NAT-T is a global attribute. IPSec over UDP (proprietary version) is a group attribute. The use 
of NAT-T or IPSec over UDP is negotiated during tunnel setup. If IPSec over UDP is enabled at 
both ends, and NAT-T is disabled, IPSec packets are encapsulated in proprietary UDP packets. If 
both IPSec over UDP and NAT-T are enabled, and a NAT device is discovered in the 
transmission path, IPSec packets are encapsulated using NAT-T. If no NAT device is 


discovered, UDP encapsulation of the IPSec packets is performed. 


IPSec over TCP is a system-wide feature. Groups do not negotiate it. If enabled at both ends, it is 
on from the start of the IKE negotiations. If both NAT-T and IPSec over TCP are enabled, IPSec 
over TCP takes precedence. It is enabled globally, across all groups. 
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Configuring IPSec over UDP 
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This topic presents an overview of configuring IPSec over UDP. 
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Configuring IPSec over UDP in the Concentrator is a two-step process. IPSec over UDP must be 
enabled first. Complete the following steps to configure IPSec over UDP: 

Choose Configuration>User Management>Groups. The Groups window opens. 

Select a group. 

Within the Client Config tab, select the IPSec over UDP check box. 


You must define an IPSec over UDP Port number by entering any UDP port number between 
4001 and 49151, except for 4500, which is used for NAT-T, in the IPSec over UDP port number 
field. The default is 10000. 


IPSec over UDP is configured on a group-by-group basis on the Concentrator. When IPSec over 
UDP is enabled, the defined UDP port number will be pushed down to the Cisco VPN Client via 
Mode configuration. 
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YPN Client | Properties for "studenti” 
Connection Entry: | student? 


Description: 
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For IPSec over UDP to work, it must be enabled in both the Cisco VPN Client and the 
Concentrator. By default, the feature is enabled in the Cisco VPN Client but disabled in the 
Concentrator. To verify the Cisco VPN Client configuration, select the Cisco VPN Client 
Transport tab, and ensure that the Enable Transparent Tunneling check box and the IPSec over 
UDP radio button are selected. Click Save after you verify that IPSec over UDP is enabled in the 
Cisco VPN Client. 
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Configuring NAT Traversal 


This topic presents an overview of configuring NAT-T. 
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This section of the Manager lets you configure system-wide IPSec parameters 
Th the left frame, or in the list of links below, click the parameters you want 


¢ DPSec LAN-to-LAN -- IPSec LAN-to-LAN connections 
e IKE Proposals -- IKE proposals for IPSec Security Associations. 
¢ NAT Transparency -- IPSec NAT Transparency connections. 


‘This section lets you configure system-wide IPSec NAT Transparenvy 
IPSec over TCP 7 ‘Check to enable IPSec over TCP. 


TCP Port(s) ivuvu Enter up to 10 comma-separated TCP ports (1 - 65535) 


Check to enable IPSec over NAT-T, which detects the need for UDP encapsulation in NAT/PAT 


aesecover aT environments, using UDP port 4500 


Apply Cancel 
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For NAT-T to work, it must be enabled in both the Cisco VPN Client and the Concentrator. 
Choose Configuration>System>Tunneling Protocols. The Tunneling Protocols window opens. 
Select NAT Transparency to enable NAT-T on the Concentrator. Select IPSec over NAT from 
the NAT Transparency window. NAT-T is enabled on a system-wide basis for all Client-to-LAN 
connections. NAT-T is configurable on an individual basis for LAN-to-LAN connections. 
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Description: 
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Transparent tunneling must also be enabled on the Software Client for NAT-T to work. 
Transparent tunneling is enabled by default. Complete the following steps to view transparent 
tunneling in the software client: 


Step 1 Highlight the connection entry you wish to modify. 

Step 2 Choose Connection Entries>Modify. The Properties window opens. 
Step 3 Select the Transport tab. 

Step 4 View the Enable Transparent Tunneling check box. 

Step 5 View the Allow IPSec over UDP radio button. 


During IKE negotiations, the use of NAT-T and IPSec over UDP is negotiated. If both are 
enabled on the Concentrator, NAT-T takes precedence. 
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Configuring IPSec over TCP 


This topic presents an overview of configuring IPSec over TCP. 
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This section of the Manager lets you configure system-wide IPSec parameters 
Tn the left frame, or in the list of links below, click the parameters you want: 


e PSec LAN-to-LAN -- IPSec LAN-to-LAN connections. 
posals -- IKE proposals for IPSec Security Associations. 


‘This section lets you configure system-wide IPSec MAT Transparency. 


> IPSec over TCP Check to enable IPSec over TCP. 
TCP Port(s) [10000 Enter up to 10 comma-separated TCP ports (1 - 65535), 


Check to enable IPSec over NAT-T, which detects the need for UDP encapsulation in NAT/PAT 


IPSec over NAT-T 
environments, using UDP port 4500 


Apply] _ Cancel 


The last configuration example is IPSec over TCP. IPSec over TCP must be enabled in both the 
Cisco VPN Client and the Concentrator for it to work. Complete the following steps to enable 
IPSec over TCP in the Concentrator: 


Step 1 Choose Configuration>System>Tunneling Protocols>IPSec to verify the Concentrator 
configuration. The IPSec window opens. 


Step 2 Click the NAT Transparency link. The Configuration>System>Tunneling Protocols>IPSec> 
NAT Transparency window opens. 


Step 3 From this window, ensure that the IPSec over TCP check box is selected and that the TCP port 
number is supplied. 


Up to 10 comma-delimited port addresses can be supplied. Different remote Cisco VPN Clients 
can use different TCP port numbers. The pool of usable TCP port numbers is defined in the 
Concentrator. The port number used by each Cisco VPN Client is defined on the individual 
Cisco VPN Client. 


This is a global parameter. If IPSec over TCP is enabled on both the Concentrator and the Cisco 
VPN Client, all frames are encapsulated in IPSec over TCP regardless of which group the Cisco 
VPN Client belongs to. 
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By default, NAT-T and IPSec over UDP are enabled on the Hardware Client. To enable IPSec 
over TCP, the IPSec over TCP feature must be enabled and a TCP port number be defined. 
Complete the following steps to configure the Hardware Client for IPSec over TCP: 


Choose Configuration>System>Tunneling Protocols>IPSec. The IPSec window opens. 


Select the IPSec over TCP check box. 


In the IPSec over TCP Port field, enter the correct IPSec over TCP port number. You can enter 
any TCP port number from 1—65535, but it must match one of the TCP port numbers 
programmed into the Concentrator TCP port(s) field, see the Concentrator 
Configuration>System>Tunneling Protocols>IPSec>NAT Transparency screen for the TCP port 


numbers that have been programmed. 
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Complete the following steps to configure IPSec over TCP in the software client: 


Step 1 
Step 2 
Step 3 
Step 4 
Step 5 
Step 6 


Highlight the connection entry you wish to modify. 

Choose Connection Entries>Modify. The Properties window opens. 
Select the Transport tab. 

Select the Enable Transparent Tunneling check box. 


Select the Use IPSec over TCP radio button. 


Enter the TCP port number in the TCP port field. You can enter any TCP port number from 1— 


65535, but it must match one of the TCP port numbers programmed into the Concentrator TCP 
port(s) field, see the Concentrator Configuration>System>Tunneling Protocols>IPSec>NAT 
Transparency screen for the TCP port numbers that have been programmed. 
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Monitoring Session Statistics 
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This topic presents an overview of Concentrator and Cisco VPN Client session statistics. 
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Bypassed: 27 


Reset 
Close 
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The administrator can check the status of the session in both the Software Client and 
Concentrator. Within the Statistics window, you can check whether transparent tunneling is 
active or inactive. If active, the encapsulation type and port number are available. In the example 
in the figure, transparent tunneling is active. The IPSec over UDP encapsulation is used with a 


port number of 10000. 
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With a Hardware Client, the end user can view the session statistics by going to the 
Monitoring>System Status window. In the bottom part of the System Status window, you can 
view the tunnel type and the port number. In the example in the figure, the tunnel type is IPSec 
over UDP and the UDP port number is 10000. The UDP port number used is defined by the 
Concentrator and pushed down to the Hardware Client. 
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The statistics can also be viewed at the Concentrator. To do this, select the Monitoring Sessions 
window. The encapsulation type is visible in the Protocol column within the Remote Access 
Sessions section. In the example in the figure, TCP over IPSec is used. Click the student1 link 
in the Protocol column within the Remote Access Sessions section to get more information on 


the port number. 
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In the Monitoring>Sessions>Detail window, three sessions are listed: one IKE session and two 
IPSec sessions. Under the IPSec session, the encapsulation type and port numbers are available. 
In the example in the figure, the TCP encapsulation is used and the TCP destination port number 


assigned is port 10000. 
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Summary 


This topic summarizes the information that was presented in this lesson. 


Summary 
aay | Cisco.com 


° IPSec does not translate through a NAT or PAT 
device. 


* Configure IPSec over UDP, NAT-T, or TCP in 


both the Concentrator and clients. 


° For each tunnel type, an applicable port number 
is defined. 


° IPSec over TCP, NAT-T, or UDP statistics are 
viewable on both the Concentrator and clients. 
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Configure the Cisco Virtual 
Private Network 3000 Series 
Concentrator for LAN-to-LAN 
with Pre-Shared Keys 


Overview 


This lesson includes the following topics: 

m Objectives 

m Cisco VPN 3000 Series Concentrator IPSec LAN-to-LAN 

= Configuring the Cisco VPN 3000 Series Concentrator via the Quick Configuration wizard 


m LAN-to-LAN configuration 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
Re MMMM ~~~SOS*S*é«SCO.com 


Upon the completion of this lesson, you will be 
able to perform the following tasks: 


¢ Configure the Concentrator via Quick Configuration. 
¢ Configure LAN-to-LAN tunnels. 
¢ Monitor LAN-to-LAN tunnels. 


¢ Configure network lists. 


Configure Network Autodiscovery. 
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This topic presents an overview of the Cisco Virtual Private Network (VPN) 3000 Series 
Concentrator LAN-to-LAN feature. 
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In the figure, a corporation wants to tie remote sites together via a VPN. At each remote site, 
there are 500 people. One option is to run a remote VPN where the VPN Client is installed on 
every PC. This is a logistical and administrative nightmare. The better option is to use the VPN 
capabilities of the Concentrator. One Concentrator is installed at each site, and all remote PC 
traffic is routed to the Concentrators. The Concentrators encrypt and encapsulate the traffic. The 
Concentrators perform all IPSec functionality, and route all interoffice VPN traffic through the 
Internet. This option requires that no additional software be installed on the PCs. This 
application is referred to as a LAN-to-LAN VPN. 


Copyright © 2005, Cisco Systems, Inc. | Configure the Cisco VPN 3000 Series Concentrator for LAN-to-LAN with Pre-Shared Keys 15-3 


IPSec LAN-to-LAN 


Cisco.com 


Corporate . Remote office 


i Public 
IP address ; . ;|Paddress ¢ 
192.168.1.5 | § 192.168.2.5 


Application server i i PC IP address 
10.0.1.10 ~ 


Session 


In the figure, the user on a remote LAN wants to access an application server at corporate 
headquarters. An IP packet is built with a source address of 10.0.2.3 and a destination address of 
10.1.10. The packet is routed to the Concentrator. The Concentrator encrypts and encapsulates 
the IP packet with an Encapsulating Security Protocol (ESP) header. The packet is secure; 
however, the packet is non-routable due to the encrypted address. Therefore, an outside address 
header is added to the IP packet. The Concentrator uses the network interface card (NIC) 
addresses of the two Concentrators: 192.168.1.5 and 192.168.2.5. The outside address enables 
the IP packet to be routed through the Internet. An IPSec tunnel is established between the 
public interfaces of the Concentrators: 192.168.1.5 and 192.168.2.5. When the tunnel is up, a 
session is established between the two private networks: 10.0.1.0 and 10.0.2.0. 


The Concentrator supports the following ESP options: 
m Authentication options 
— None 
— Hashed message algorithm code (HMAC)-Message Digest (MD5)—128-bit key 
— HMAC-secure hash algorithm (SHA-1)—160-bit key 
m Data encryption options 
— Data encryption standard (DES)—S6-bit key 


— Triple DES (DES)—168-bit key 
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— AES—128-, 196-, and 256-bit key 


Copyright © 2005, Cisco Systems, Inc. | Configure the Cisco VPN 3000 Series Concentrator for LAN-to-LAN with Pre-Shared Keys 15-5 


Concentrator—Physical Connections 


Cisco.com 


Internet 


Public IP address —. 
192.168.1.5 


CSVPN 4.0—15-6 


The Concentrator is equipped with universal power factor correction: 100-240 VAC. A power 
cable with the correct plug is supplied. When the Concentrator arrives from the factory, plug it 
in and power it up. Connect the corporate LAN to the Concentrator’s private interface. Cable the 
Internet side of the corporate network to the public interface of the Concentrator. LAN ports can 
be programmed for 10M or 100M Ethernet. 


The Concentrator is not pre-programmed with IP addresses at the factory. Use the console port 
to program the correct IP addresses for the VPN private IP address. The serial console port 
needs to be configured for 9600 bps 8N1. When programmed, the operator can access the 
Concentrator via the browser. 
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After the initial private IP address configuration, the remaining parameters can be configured in 
one of two ways: using the command line interface (CLD or via a browser. For beginners, the 
menu-driven browser is recommended. The CLI is geared for those individuals who understand 
the menu structure. 


The web interface supports both HTTP and HTTP over Secure Sockets Layer (SSL). Operators 
can use either Internet Explorer or Netscape Navigator. With Internet Explorer and Netscape 
Navigator, the software versions must be 4.0 or higher with both cookies and Java scripts 
enabled. Use either browser to configure the Concentrator with one exception; Internet Explorer 
must be used when programming digital certificates. 
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‘Welcome to the VPN 3000 Concentrator Manager. 
Tn the left frame or the navigation bar above, click the function you want: 


© Configuration -- to configure all features of this device 
«Administration -- to control administrative functions on this device 
+ Monitoring -- to view status, statistics, and logs on this device. 


‘The bar at the top nght has 


Main -- to retum to this screen 
+ Help -- to get help for the current screen 

© Support -- to avvess VPN 3000 Concentrator support and documentation. 
«Logout -- to log out of this session and retum to the Manager login screen 


‘Under the location bar in the upper right, these icons may appear. Click to 


# Save Fal -- save the active configuration and make it the boot configuration 

+ Save Needed 4 -- as above, indicating you have changed the active configuration. 
« Reset @ -- to temporarily reset statistics to zero. 

© Restore ® -- to restore statistics from their reset values 

© Refresh @ -. to refresh statistics. 


[@ internet 


Cisco.com 


Manager 
screen 
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This is the main window of the Concentrator after logging into the device. In the left frame or 


the navigator bar in the figure above, you can click the function you want: 


= Configuration—To configure all features of this device. 


= Administration—To control administrative functions on this device. 


= Monitoring—To view status, statistics, and logs on this device. 


The bar at the top right has the following options: 


= Main—Click to return to this window. 


= Help—Click to get help 


text for the current window. 


m= Support—Click to access Concentrator support and documentation. 


= Logout—Click to log out of this session. 


The following icons may be found under the location bar in the upper right part of the window: 


m Save—Save the active configuration. 


m Save Needed—Indicates you have changed the active configuration. 


m= Refresh—Refresh the statistics. 
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Note When you finish with the configuration window, click Apply. Apply enables the configuration to 
take effect immediately. Click the Save Needed button to save the changes to memory. If you 
reboot without saving, your configuration changes are lost. 
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Quick Configuration 
MMMM ~~SSS*S*«SCOWcom 


VPN 3000 Main | Help | Support| Logout 


Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 


Welcome to the VPN 3000 Concentrator Series Manager 


The VPN 3000 Concentrator Series has booted, and you must now supply some configuration parameters to make tt 
operational. 


To configure the minimal parameters, click here to start Quick Configuration. 


To configure al! features, click here to go ta the Main Meru. 
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There are two ways to configure the Concentrator: Quick Configuration and the main menu. 
Quick Configuration enables you to configure the minimal parameters for operation. A wizard 
guides you through the configuration. The main menu is used to configure each feature 
individually. With Quick Configuration, the Concentrator can be programmed by accessing five 
windows. In the main menu, the same application requires the operator to access nine or more 
windows. The recommendation is to use Quick Configuration for the initial configuration. Use 
the main menu to add connections or tune existing configurations. 


The next windows will take you through a LAN-to-LAN Quick Configuration sample. 


Note You can run Quick Configuration only once. You must reboot to the factory default 
configuration to run it again. 
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Configuring the Cisco VPN 3000 Series 
Concentrator via the Quick Configuration Wizard 


This topic covers the configuration of Cisco VPN 3000 Series Concentrator via the Quick 
Configuration option. 


IP Interfaces 


aa a | Cisco.com 


Ethernet 1 (Private IP) Ethernet 2 (Public IP) 
10.0.P.5 192.168.P.5 


Configure VPN 3000 Concentrator interfaces. 


+ Ethernet 1 Private) = the interface to your private network (internal LAN) 
+ Ethemet 2 (Public) = the interface to the public network. 
« Ethemet 3 (External) = the interface to an additional LAN. 


TE you modify the interface that you are currently using to connect to this device, you will break the connection, and you will have to restart from 
the login screen, 


| Interface Status [IP Address [Subnet Mask 
(Ethernet 1 Private) UP 10.0.1.5 — |255.255.255.0 
[Ethemet 2 Public) UP 192.168. 1.5 [255.255.255.0 
(Ethernet 3 External) Not Configured |0.0.0.0 [0.0.0.0 


Back Continue 
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The figure shows is the first Quick Configuration window. It displays the current configuration 
of the IP interfaces: 


m Private—Interface toward the internal network 
= Public—Interface toward the public network (Internet) 


m= External—Interface toward the external network or DMZ 


If you remember, the private LAN interface was configured via the CLI. The next step is to 
configure the public LAN interface (toward the Internet). 
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Public IP Interface 
MMMM ~SCOS*#*#éSCsco.com 


Ethernet 1 (Private IP address) Ethernet 2 (Public IP address) 
10.0.P.5 192.168.1.5 


You are modifying the interface you are using to connect to this device. If you make any changes, you will break the connection and you will have to restart from the login screen. 


Configuring Ethernet Interface 2 (Public). 


General Parameters 
Sel| Attribute Value Description 
© [Disabled [Select to disable this interface. 
¢ |DHCP Client 
‘System Name| 
@ [Static IP Addressing 
IP Address}}192.166.1.5 [Select to configure the IP Address and Subnet Mask Enter the IP Address and Subnet Mask for this interface. 
Subnet Mask|[255 255 255.0 


elect to obtain the IP Address, Subnet Mask and Default Gateway via DHCP System Name may be required for DHCP), 


Public Interface| [7 
MAC Address|00.90.A400.17 9) 
Filter||—None— 


Speedl| 10/100 auto +] [Select the speed for this interface 


Duplex|[ Auto = [Select the duptex mode for this interface. 


Mruj[1500 [Enter the Maximum Transmit Unit for this interface (68 - 1500). 


Apply | Cancel 
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The window displayed in the figure is used to configure the public interface. The public IP 
interface can be configured in one of three ways: disabled, set as a Dynamic Host Configuration 
Protocol (DHCP) client, or configured to use a static IP address. The public IP interface 
parameters are as follows: 


m= Disable—The interface is enabled by default. Select the Disable check box to disable the 
interface. 


m= DHCP Client—Select the DHCP Client radio button if you want to enable this interface and 
use DHCP to obtain an IP address. In the System Name field, enter a name (such as VPNO1 
for the Concentrator). This name must uniquely identify this device on your network. 


m Static IP Addressing—If you want to enable this interface and set a static IP address for it, 
click the Static IP Addressing radio button. In the IP Address field, enter the IP address for 
this interface using dotted decimal notation (for example, 192.168.1.5). Be sure no other 
device is using this address on the network. In the Subnet mask field enter the subnet mask 
for this interface using dotted decimal notation (for example, 255.255.255.0). The Manager 
automatically supplies a standard subnet mask appropriate for the IP address you just 
entered. For example, the IP address 192.168.1.5 is a Class C address, and the standard 
subnet mask is 255.255.255.0. You can accept this entry or change it. Note that 0.0.0.0 is 
not allowed. 


m Public Interface—Select the Public Interface check box to make this interface a public 
interface. 


m MAC Address—The Media Access Control (MAC) Address is the unique hardware MAC 
address for this interface. 
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m = Filter—Click the Filter drop-down menu button and choose the public (default) filter, which 
allows only nonsource-routed inbound and outbound tunneling protocols plus Internet 
Control Message Protocol (ICMP). This is the default filter for Ethernet 2. 


m Speed—Keep the default value. 
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System Information 


ea III Cisco.com 


nfiguration | Quick | S 


Assign a system name/hostname to this device. This may be required if you use DHCP to obtain an address 


System Name |student]\VPN Enter a hostname for the system, e.g. vpnl1 


Set the time on your device. The correct time is very important, so that logging and accounting entries are accurate. 
The current time on this device is Friday, 23 February 2001 11:37:23. 


New Time [it 38 10 [February ]q23 2007 [(GMT-05:00) EST x 


M Enable DST Support 


Specify a DNS server, which lets you enter hostnames rather than IP addresses in subsequent Manager fields 


DNS Server [ooo 0 Enter the IP address of your local DNS server. 
Domain | Enter your Internet domain name; e.g. yourcompany.com. 


Default Gateway fi 92.168.1.1 Enter your default gateway. Leave at 0.0.0.0 for no default gateway. 


Back Continue | 
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The Configuration>Quick>System Info window configures basic information about the 
Concentrator, and has the following options: 


System Name field—Enter a name (such as VPNO1) for the Concentrator. This name must 
uniquely identify this device. 


New Time fields and drop-down menus—Set the time and date on the Concentrator. The 
correct time is very important so that logging, certificates, and accounting entries are 
accurate. The window shows the current date and time on the device. The values shown in 
the New Time fields are the time on the browser PC, but any entries you make apply to the 
Concentrator. 


DNS Server field—Enter the IP address of your local DNS (Domain Name System) server, 
using dotted decimal notation (for example, 192.34.5.67). 


Domain field—Enter your Internet domain name. 


Default Gateway field—Enter the IP address or hostname of the system to which the 
Concentrator should route packets that are not explicitly routed. In other words, if the 
Concentrator has no IP routing parameters (Routing Information Protocol [RIP], Open 


Shortest Path First [OSPF], static routes) that specify where to send a packet, it will be sent 
to this gateway. 
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Protocols 
a MMMM ~SSCS*é<CISCOcom 


<< IPSec ———> = 


Internet 


Configuration | Quick | Protocols 


Select the tunneling protocols and encryption options that you want to enable. 


- |PPTP 


[e Require Encryption (Clients without encryption will not gain access, Requires MSCHAP.) 
| @ Don't Require Encryption (Clients may optionally use encryption.) 


oTP | © Require Encryption (Clients without encryption will not gain access. Requires MSCHAP.) 
| © Don't Require Encryption (Clients may optionally use encryption.) 


V Sec} 


[Check to enable remote user connections via IPSec, LAN-to-LAN configurations are done outside of 
|Quick Configuration. 


Back Continue 
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The Configuration>Quick>Protocols window defines the protocols used in Client-to-LAN 
applications. The parameters have no bearing on LAN-to-LAN applications. Look at the text 
next to the IPSec parameter and notice that LAN-to-LAN configuration is done outside of the 
Quick Configuration. The LAN-to-LAN IPSec protocol information is configured in a different 
window. While the Concentrator is able to handle remote access and LAN-to-LAN tunnels 


simultaneously, in this topic during the lab exercise, you will deselect all the remote access 
protocols and focus strictly on LAN-to-LAN configuration and monitoring. 
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Admin Password 


Cisco.com 


We strongly recommend that you change the password for user adwein. 


Password |*““ 
Verify po 


Back Continue 
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You can use the Configuration>Quick>Password window to change the password. It is highly 
recommended for security. Use the following options to change the password: 


= Login field—Enter or edit the unique username for this administrator. 

m Password field—Enter or edit the unique password for this administrator. The field displays 
only asterisks. The default password that Cisco supplies is the same as the username. It is 
strongly recommended that you change this password. 

m Verify field—Re-enter the password to verify it. The field displays only asterisks. 

m= Reset Password utility—A fter you reboot the system and the diagnostic check is complete, a 
line of three dots (. . . ) appears on the console. Pressing Control-Break within three 


seconds after seeing the three dots displays a new menu that enables you to reset the system 
password back to its default. 
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LAN-to-LAN Configuration 


This topic presents an overview of the Concentrator LAN-to-LAN wizard. 


Add IPSec LAN-to-LAN 


aay, Cisco.com 


IPSec | | 


Internet 


net, 


Savef| 
IThis section lets you configure IPSec LAN-to-LAN connections. LAN-to-LAN connections are established with other VPN 
3000 Concentrators, PIX firewalls, 7100/4000 series routers and other IPSec-compliant security gateways. To configure a VPN 
3002 or other remote access connection, go to User Management and configure a Group and User. To configure NAT over 
ILAN-to-LAN, go to LAN-to-LAN NAT Rules 


ie you want to define @ set of networks on the local or remote side of the LAN-to-LAN connection, configure the nevessary 
Network Lists prior to creating the connection 


Click the Add button to add a LAN-to-LAN connection, or select a connection and click Modify or Delete. 
|(D) indicates a disabled LAN-to-LAN connection. 


LAN-to-LAN 
Connection Actions 


Add 
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Configuration of LAN-to-LAN connections cannot be done in Quick Configuration. Instead, the 
Concentrator provides a wizard for LAN-to-LAN connections. Choose 
Configuration>System>Tunneling Protocols>IPSec>LAN-to-LAN, and click Add to access 
the LAN-to-LAN wizard. The Configuration>System>Tunneling Protocols>IPSec LAN-to- 
LAN>Add window opens. The LAN-to-LAN wizard presents this one window to configure a 
LAN-to-LAN tunnel. 
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Step 1 
Step 2 


Step 3 


Step 1 


Step 2 


Boston IPSec LAN-to-LAN 


ia aa | Cisco.com 


Boston 
10.0.1.0 


255.255.255.0 =a 


wsdl [IKEIDESMDS 


Houston 
10.0.6.0 
255.255.255.0 


is List [Use IP Addesa/vAloord mosk be ow =] specify the localretwort address ist orth ‘P addvess and wideard nash fertus LA 
= fracio 


e026 


2 [Leo 


i 700255 


The Configuration>System>Tunneling Protocols>IPSec>LAN-to-LAN>Add window has three 
sections. The top section pertains to the network information; the bottom two sections deal with 
the two private networks at either end of the tunnel. 


In the example in the figure, there is a tunnel between Boston and Houston. The administrator is 
currently configuring the Boston Concentrator. For the Boston network connection, the 
administrator needs to complete the following steps: 


Enter the name for the LAN-to-LAN connection (local significance only) in the Name field. 


Set the peer value as the IP address assigned to the public interface of the remote Concentrator 
(for example, 192.168.6.5) in the Peer field. 


Enter an alphanumeric string value for the pre-shared key in the Preshared Key field. 


There are two private networks: local and remote. The middle section of the Configuration> 
System>Tunneling Protocols>IPSec LAN-to-LAN window defines the local private network. 
When the administrator in the example programs the Boston end, the local network to Boston is 
10.0.1.0. When programming the local private network, the administrator needs to complete the 
following steps: 


Set the local network IP address to 10.0.1.0, which is the network and subnet address minus the 
host address. 


Set the wildcard mask, 0.0.0.255. The wildcard mask is the reverse of the subnet mask. 


The bottom section of the Configuration>System>Tunneling Protocols>IPSec>LAN-to- 
LAN>Add window defines the remote private network. In the example, the remote end is 
referring to the Houston private network, 10.0.6.0. When the administrator in the example 
programs the remote private network, the administrator needs to complete the following steps: 
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Step1 Set the remote network IP address to 10.0.6.0. It is the network and subnet address minus the 
host address. 


Step 2. Set the wildcard mask to 0.0.0.255. The wildcard mask is the reverse of the subnet mask. 
Step 3 Click Add. 


Backup LAN-to-LANs 


A backup LAN-to-LAN configuration has two sides: a central side and a remote side. The 
central side is the endpoint of the connection where the backup VPN Concentrators reside. (If 
the backup VPN Concentrators reside in different geographic places, there may be more than 
one central side.) The endpoint of the backup VPN Concentrator’s LAN-to-LAN peer is the 
remote side. 


The remote-side VPN Concentrator has a peer list of all (up to ten) of the central-side VPN 
Concentrators. The peers appear on the list in their order of priority. Each central-side VPN 
Concentrator has a peer list of the (one) remote-side peer. 


In a backup LAN-to-LAN setup, the remote peer always initiates the connection. It tries to 
connect to the first VPN Concentrator on its peer list. If that VPN Concentrator is unavailable, 
then it tries to connect to the second peer on the list. It continues in this way until it connects to 
one of the peers on the list. If that connection later fails, the remote-side peer again tries to 
connect to the first peer on its list. If that VPN Concentrator is unavailable, it tries the second, 
and so on. In this way, the remote VPN Concentrator re-establishes the LAN-to-LAN 
connection with only a brief interruption of service. 


In a nonredundant LAN-to-LAN connection, the first data to travel from one peer to another 
brings up the Internet Key Exchange (IKE) tunnel. The tunnel exists for the duration of the data 
transmission only. When the data stops transmitting, the tunnel goes down. In a backup LAN-to- 
LAN configuration, the peers establish the tunnel in a different manner. During IKE tunnel 
establishment, the VPN Concentrator at each endpoint of the LAN has a unique role. It can 
either originate or accept IKE tunnels. In most cases, you configure the remote-side VPN 
Concentrator to originate the tunnel and the central-side VPN Concentrator to accept it. Once the 
IPSec tunnel is established, data travels in both directions; each side can both receive and send 
data. The tunnel remains up at all times, even if data transmission stops. 


The unique role of the VPN Concentrator in establishing the IKE tunnel is called its connection 
type. There are three connection types: 


m Originate only—This VPN Concentrator originates the IKE tunnel. An originate-only 
endpoint is analogous to a telephone that makes only outgoing phone calls; it cannot receive 


calls. 


m Answer only—This VPN Concentrator accepts the IKE tunnel. An answer-only connection 
is analogous to a telephone that receives only incoming calls; it cannot make calls. 


m= Bidirectional—This VPN Concentrator can either originate or accept the IKE tunnel. It is 
like a telephone that can both make calls and receive calls. 
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Configure the remote-side VPN Concentrator with the connection type Originate-Only; 
configure the central-side VPN Concentrator with the connection type Answer-Only. (A few 
other configurations are valid, although not recommended.) 


15-20 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


IPSec LAN-to-LAN Is Finished 


ea Cisco.com 


IPSec | = 
f : a, | 


Internet Houston 


10.0.6.0 


Boston 
10.0.1.0 


255.255.255.0 — 255.255.255.0 


Save Neededb) 
An IPSec LAN-to-LAN connection has been successfully configured. The following have been added to your configuration: 


Authentication Server Internal 
Group 192.168.6.5 
Security Association L2L: boston 


L2L: boston Out 


Filter Rules 77 boston In 


Modifying any of these items will affect the LAN-to-LAN configuration, The Group is the same as your LAN-to-LAN peer 
The Security Association and Filter Rules all start with "L2L:" to indicate that they form a LAN-to-LAN configuration. 
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If the connection was successfully configured, the IPSec LAN-to-LAN>Add>Done window 
opens. In this window, the Cisco VPN 3000 manager presents a synopsis of LAN-to-LAN 
tunnel configuration information. The LAN-to-LAN wizard automatically configures the 
following tables: 

= Group Name 


m Security Association (SA) Name 


m Filter Name 


You can view or edit any parameters in these tables. 
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IPSec LAN-to-LAN Connection 


ey Cisco.com 


IPSec = 
: ON } Houston 


__ Internet 10.0.6.0 


192.168.1.5 — 192.168.6.5 255.255.255.0 


Save Needed] 


This section lets you configure IPSec LAN-to-LAN connections. LAN-to-LAN connections are established with 
other VPN 3000 Concentrators, PIX firewalls. 7100/4000 series routers and other [PSec-compliant security 
gateways. To configure a VPN 3002 or other remote access connection, go to User Management and configure a 
(Group and User, To configure NAT over LAN-to-LAN, go to LAN-to-LAN NAT Rules, 


HE you want to define a set of networks on the local or remote side of the LAN-to-LAN connection, configure the 
necessary Network Lists prior to creating the connection 


(Click the Add button to add a LAN-to-LAN connection, or select a connection and click Modify or Delete. 
|(D) indicates a disabled LAN-to-LAN connection, 
LAN-to-LAN 


Connection Actions 
Boston (192,168.6.5) on Ethernet 2 (Public) 
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The Configuration>System>Tunneling Protocols>IPSec>LAN-to-LAN window lists all the 
LAN-to-LAN tunnels configured in the Concentrator. The example in this figure gives the 
listing “boston (192.168.6.5)”. This means that the tunnel name is Boston and that the public 
interface of the remote Concentrator is 192.168.6.5. 
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Step 1 


Step 2 


Step 3 


Step 1 


Step 2 


Houston IPSec LAN-to-LAN 


ea Cisco.com 


a At Oniginate-Criy cocnechon may have rape peers 


2 For thio LAN to LAN aemection, Crigivate Only connsctior. may specify 
‘one TP ackdress ser Ine 


Houston 
10.0.6.0 
255.255.255.0 


Boston 
10.0.1.0 
255.255.255.0 


outng mechaciam te us> Parameters below are 


192.168.6.5 


192.168.1.5 
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With LAN-to-LAN, there are two ends to the tunnel. After an administrator has configured the 
first end (in this example, it is “Boston”’), the administrator must configure the other end (in this 
example, it is “Houston’’). Choose Configuration>System>Tunneling Protocols>IPSec> 
LAN-to-LAN and click Add to access the LAN-to-LAN wizard. 


There are three sections to the Configuration>System>Tunneling Protocols>IPSec>LAN-to- 
LAN window: the top section defines the network parameters, the middle section defines the 
local private network, and the bottom section defines the remote private network. 


For the Houston network connection (top section) in the example, the administrator must 
complete the following steps: 
Enter the name for the LAN-to-LAN connection (local significance only) in the Name field. 


Set the peer value as the IP address assigned to the public interface of the remote Concentrator 
(for example, 192.168.1.5) in the Peer field. 


Enter an alphanumeric string value for the pre-shared key in the Pre-shared Key field. 


In the example, there are two private networks: local and remote. When programming the 
Houston end (middle section), the local network to Houston is 10.0.2.0. When programming the 
local network, the administrator must complete the following steps: 


Set the local network IP address to 10.0.6.0, which is the network and subnet address minus the 
host address. 


Set the wildcard mask, 0.0.0.255. The wildcard mask is the reverse of the subnet mask. 


In the example, the remote end is referring to the Boston private network (bottom section), 
10.0.1.0. When programming the remote end, the administrator must complete the following 
steps: 
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Step 1 Set the remote network IP address to 10.0.1.0. It is the network and subnet address minus the 
host address. 


Step 2 Set the wildcard mask to 0.0.0.255. The wildcard mask is the reverse of the subnet mask. 


Step 3 Click Add. 
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IPSec LAN-to-LAN Is Finished 


eae Cisco.com 


Boston 
10.0.1.0 
255.255.255.0 192.168.1.5 


IPSec 


Internet 


» 


192.168.6.5 


| 


Houston 
10.0.6.0 
255.255.255.0 


Save Neededky 


An IPSec LAN-to-LAN connection has been successfully configured. The following have been added to your configuration: 


Authentication Server Internal 
Group 192.168.1.5 
Security Association L2L: houston 


L2L: houston Out 


Filter Rules 777” houston In 


Modifying any of these items will affect the LAN-to-LAN configuration. The Group is the same as your LAN-to-LAN peer. The 


Security Association and Filter Rules all start with "L2L:" to indicate that they form a LAN-to-LAN configuration. 
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If the connection was successfully configured, the IPSec LAN-to-LAN>Add>Done window 
opens. In this window, the Cisco VPN 3000 manager presents a synopsis of LAN-to-LAN 
tunnel configuration information. The LAN-to-LAN wizard automatically configures the 


following tables: 
m= Group name 
m SA name 


m Filter name 


You can view or edit any parameters in these tables. 
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Administration Sessions 
SS MMMM ~SCOS*#é«SCsco.com— 


Reset @? Rettesh@ 


This screen shows statistics for sessions, To reffesh the statistics, click Refresh. Select a Group to filter the sessions, For more information on a session, click 
on that session's name. To log out a session, click Logout in the table below. To test the network connection to a session, click Ping 


Group [-Al- = 


Logout All: PPTP User | L2TP User | IPSec User | IPSec LAN-to-LAN 


Session Summary 
Active LAN-to-LAN | Active Remote | Active Management | Total Active | Peak Concurrent | Concurrent | Total Cumulative 
Sessions | Access Sessions Sessions Sessions Sessions Sessions Limit Sessions | 
1 | 0 [ 1 2 2 100 94 | 


LAN-to-LAN Sessions [ Remote Access Sessions | Management Sessions ] 


Connection Name | IP Address | Protocol Encryption | Login Time | Duration | Bytes Tx | BytesRx | Actions _ | 
P> [Boston 192.168,.6,5 | TPSec/LAN-to-LAN | 3DES-168 | Aug 1564145 | 7.42.24 51800 51744|[Lagout|Ping) | 


Remote Access Sessions [ LAN-to-LAN Sessions | Management Sessione ] 


Assigned IP Address | Protocol Login Time Client Type Bytes Tx | 


| i 
Usemmame Public IP Address Stoup | Encryption Duration Version Ear | | 


Mo Remote Access Sessions 


Management Sessions 
‘Administrator | IP Address | Protocol | Encryption | Login Time 
admin [10.0.1.10 (HTTP [None [Aug 15 15:24:04 [0.00.04 [[Logout| Ping] 
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Choose the Administration>Sessions window to verify the LAN-to-LAN tunnel. If the LAN- 
to-LAN tunnel is not listed, ping the private interface at the remote end (the Concentrator needs 
to see interesting traffic bound for the remote network before it will bring up a tunnel). LAN-to- 
LAN Sessions provides the following information: 

m= Connection name 

m IP address (the public IP address of the remote Concentrator) 

m Protocol 

m Encryption 

m= Login time 


= Duration 


m Bytes Tx and Rx 
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Multiple Subnets 


Cisco.com 
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Internet 


Router 


Houston 


San Francisco 
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In the previous examples, there was one tunnel with one subnet at each end of the tunnel. This is 
not a real world example. In the real world, there are multiple tunnels with multiple subnets at 
each remote site. 


Before Release 2.1 of the Concentrator, you had to define tunnels and all reachable subnets. You 
had to define each subnet-to-subnet connection individually. In a mesh network, that could be 
very time-consuming and error prone. 


In Release 2.1, you can build a network list. In the network list you define all the subnets 
reachable at a particular site and give them a name (for example, Boston or Houston). Instead of 
defining individual subnet-to-subnet tunnels, you can define one tunnel between each site and 
apply a network list to the private network at each site. In LAN-to-LAN configuration, the 
Concentrator can reference the applicable network lists for subnet information. 


Also in Release 2.1, Network Autodiscovery (NAD) is introduced. With NAD, you do not have 
to define local and remote network addresses, or network lists. You define the LAN-to-LAN 
network information only: name, peer, remote address, pre-shared key, and routing (NAD). As 
long as Inbound RIP is turned on, the Concentrator learns subnets from RIP. Each Concentrator 
then encrypts the RIP information and sends it through the tunnel to the remote Concentrator. 
(NAD is not supported with OSPF.) 
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Network Lists 


Cisco.com 


This section lets you add, modify, copy, and delete Network Lists 
Click Add to create a Network List, or select a Network List and click Modify, Copy, or Delete 


Network List Actions 
Empty — 


st. Click on Generate Local List to generate a network list based on routing entries 


Name of the Network List you are adding, The name must 
be unique 
« Enter the Networks and Wildcard masks using the 
following format: nanawn.nan (e.g 
30.0.1.0/0.0.0.255 Zs 10,10.0.0/0.0.255 255), 
+ Note: Enter awildcard mask, which is the 
reverse of a subnet mask. A wildcard mask has 1s 
in bit positions to ignore, Os in bit positions to match. 
Network List For example, 10.10.1.0/0.0,0.255 = all 10.10.1.nnn 
addresses 
e Each Network and Wildcard mask pair must be 
= entered on a single line. 
ly | + The Wildcard mask may be omitted ifthe natural 
Wildcard mask is to be use: 


e boston) 


Add Cancel | GenetateLocallist | 


Instead of defining individual subnet-to-subnet tunnels, you can define one tunnel between each 
site, define network lists for both ends, and apply a network list to each end. In the network list, 
you define all the subnets reachable at a particular site and give them a name (for example, 
Boston or Houston). The local network list is built automatically via RIP. For the remote list, all 
reachable private subnets are configured manually. 


Generate a list for both ends of the tunnel to use network lists: 


m For the local list, click Generate Local List. The Concentrator generates networks from the 
routing table. The Concentrator uses inbound RIP, not OSPF. If necessary, edit the list. (For 
example, if you had a subnet that you did not want to be accessible through the tunnel, 
delete the networks that need to remain private). The Manager automatically generates a 
network list containing the first 200 private networks reachable from the Ethernet | (Private) 
interface. It generates this list by reading the routing table, and the inbound RIP must be 
enabled on that interface. The Manager refreshes the screen after it generates the list, and 
you can then edit the Network List and enter a List Name. If you click Apply, the generated 
list replaces any existing entries in the Network List. The last step is to name the list and 
click Add. 


m= For the remote list in the network list window, enter the subnet/wildcard for each reachable 
subnet. The subnet does not include the host, and the wildcard is the reverse of the subnet 
mask (subnet =255.255.255.0, wildcard = 0.0.0.255). 
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LAN-to-LAN Network Lists 
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Separate network lists are built for both ends of the tunnel. The lists are then added to the LAN- 


to-LAN tunnel configuration as 


follows: 


@ For local network—Under the network list drop-down menu, select the correct network list 


for the local end of the network. 


m For remote network—Under the network list drop-down menu, select the correct network 


list for the remote end of the network. 


The Concentrator will build the tunnel and use the network list to determine how to route the 


traffic. 
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The NAD feature dynamically discovers and continuously updates the private network addresses 
on each side of the LAN-to-LAN connection. You do not have to define the private networks at 
both ends of the tunnel. The Concentrator learns local network addresses from local RIP 
updates. The Concentrators encrypt this information and send it through the tunnel to the remote 
end. From this information, the remote Concentrator learns what networks are reachable at the 
other end of the tunnel. For this feature to work, inbound RIP must be enabled on the private 
interface of both Concentrators. 


Complete the following steps to configure LAN-to-LAN using NAD: 


Step 1 Enter a name in the Name field. 

Step 2 Choose the remote address of the peer’s public interface from the Interface drop-down menu. 
Step 3 Define the pre-shared key or certificate in the Preshared Key field. 

Step 4 Choose Network Autodiscovery from the Routing drop-down menu. 

Step 5 Click Add. 


The Concentrator can build a LAN-to-LAN tunnel from this information. 


Note The OSPF NAD is not supported. 
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Summary 


This topic summarizes what you learned in this lesson. 


Summary 
a ae | Cisco.com 


° Interface and system information is configured 
via Quick Configuration. 


* LAN-to-LAN is configured via a second wizard. 


* Network lists enable ease of configuration when 
dealing with multiple subnets. 


¢ Network autodiscovery learns the local subnets 
by listening to RIP updates. 
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Lab Exercise—Configure the Cisco VPN 3000 
Series Concentrators for LAN-to-LAN Using Pre- 
Shared Keys 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


Your task in this lab exercise is to configure one end of a LAN-to-LAN Virtual Private Network 
(VPN) while another team completes the same tasks at a remote site. Work with your lab 
exercise partner to complete the following tasks on your side of the LAN-to-LAN VPN: 

m= Complete the lab exercise setup. 

m Return the Cisco VPN 3000 Series Concentrator to factory settings. 

m Configure the Cisco VPN 3000 Series Concentrator private interface using the CLI. 


= Configure a static route in the Cisco VPN 3000 Series Concentrator using the CLI. 


™ Configure the Cisco VPN 3000 Series Concentrator using the Cisco VPN 3000 Concentrator 
Series Manager. 


= Configure network lists. 
™ Configure the Cisco VPN 3000 Series Concentrator LAN-to-LAN parameters. 


m Verify the Cisco VPN 3000 Series Concentrator LAN-to-LAN connectivity. 


Copyright © 2005, Cisco Systems, Inc. | Configure the Cisco VPN 3000 Series Concentrator for LAN-to-LAN with Pre-Shared Keys Lab 15-1 


Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


ae, Cisco.com 


Pods 1-5 ; ‘>= : Pods 6-10 


192.168.P.0 RBB 192.168.0.0 


Concentrator = 4 Concentrator 


r \ r - \ ‘ 4 
10.0.P.15 a 10.0.Q.15 


Student PC Student PC 


Scenario 


Your company wants you to implement a VPN between the world headquarters campus site and 
the remote sales offices. You must configure the Cisco VPN 3000 Series Concentrators for 
LAN-to-LAN tunneling using pre-shared keys for authentication. 


Task 1—Complete the Lab Exercise Setup 
Certain networking parameters must be configured before your student PC can operate in the lab 
environment. Reconfigure your student PC networking parameters using the following IP 
addresses: 
m Ensure that your student PC is powered on. 


m Ensure that your student IP addresses are configured correctly: 


— Primary IP address—10.0.P.15 
(where P = pod number) 


— Subnet mask—255.255.255.0 
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— Default gateway IP address—10.0.P.5 
(where P = pod number) 


m Ensure that your Concentrator is powered on. 


Task 2—Return the Cisco VPN 3000 Series Concentrator to Factory 
Settings 
The instructor will provide you with the procedures for access to the Concentrator console port, 
as this will vary according to your connectivity. After you access the Concentrator console port, 


the Concentrator prompt will appear. Complete the following steps to return the Concentrator to 
the factory settings: 


Step 1 Log into the Concentrator command line interface (CLI) using the administrator account: 
Login: admin 
Password: admin 


If you get a Quick prompt for the system time or date parameters, the device has already been 
rebooted to factory defaults. Skip the remainder of this task and proceed to Task 4. If you do not 
get a Quick prompt for the system time or date parameters, the device has not already been 
rebooted to factory defaults, and you must continue with the rest of the steps in this task. 

Step 2 Access the Administration menu: 
Main -- 2 

Step 3 Access the System Reboot menu: 
Admin -- 3 

Step 4 Access the Schedule Reboot menu: 
Admin -- 2 

Step 5 Select Reboot ignoring the Configuration file: 
Admin -- 3 

Step 6 Select Reboot Now: 
Admin -- 2 


The “Reboot scheduled immediately” message appears followed by the “Rebooting VPN 3000 
Concentrator Series now” message. Do not attempt to log in to the first login prompt you see, as 
it takes several moments for the Concentrator to complete the reboot function. A login prompt 
appears when the reboot is completed. 


Step 7 Leave the CLI session open. 
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Task 3—Configure the Cisco VPN 3000 Series Concentrator Private 
Interface Using the CLI 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


Step 8 


Complete the following steps to configure the Concentrator private LAN interface using the CLI 
quick configuration mode: 


Note This procedure assumes that the CLI session is still active. If not, follow steps 1-6 of the 
previous task before proceeding. 


Log in to the Concentrator using the administrator account: 
Login: admin 


Password: admin 


When administrator reboots a Concentrator, as in the previous task, the CLI menus open in a 
slightly different order. If you get the Quick prompt for the system parameters, press Enter 
through the time, date, time zone, and DST prompts. 

Enter your Concentrator private interface IP address: 

Quick Ethernet 1-- [0.0.0.0] 10.0.P.5 


(where P = pod number) 


Enter your Concentrator private interface subnet mask: 

Quick Ethernet 1-- [255.0.0.0] 255.255.255.0 

Accept the default Ethernet speed of 10/100 Mbps Auto Detect: 
Quick Ethernet 1-- [3] <Enter> 


Accept the default duplex mode of Half/Full/Auto: 


Quick Ethernet 1-- [1] <Enter> 
Accept MTU default: 
Quick Ethernet 1-- [1500] <Enter> 


Save changes to the configuration file: 


Quick -- 3 
Exit the CLI: 
Quick -- 5 


If you do not exit, the CLI continues its quick configuration script. You will use the standard 
CLI menus for the remaining parameters. 


Task 4—Configure the Cisco VPN 3000 Series Concentrator Using the 
Cisco VPN 3000 Concentrator Series Manager 


Complete the following steps to finish the configuration using the Cisco VPN 3000 Concentrator 
Series Manager: 
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Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


Note This procedure assumes that Windows 2000 is already running on the student PC. 


Launch Internet Explorer by double-clicking the desktop icon. 


Enter a Concentrator private interface IP address of 10.0.P.5 in the Internet Explorer Address 
field (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 Concentrator 
Series Manager. 


Log into the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 
Login: admin 


Password: admin 
The username (login) and password are always case sensitive. 


In the main window, click the click here to start Quick Configuration hyperlink. 
Complete the following sub-steps from the Configuration>Quick>IP Interfaces window: 


1. Select Ethernet 2 (Public). The Ethernet 2 window opens. 
2. Select Static IP Addressing. 


3. Inthe IP Address field, enter an IP address of 192.168.P.5. 
(where P = pod number) 


The subnet mask field is automatically populated with a value of 255.255.255.0. 
4. Leave all other fields at their default. 

5. Click Apply. 

6. Click Continue. 


Complete the following sub-steps from the Configuration>Quick>System Info window: 


1. Enter vpnP in the System Name field. 
(where P = pod number) 


2. Leave the DNS server set to 0.0.0.0. 
3. Enter the domain name: cisco.com. 


4. Enter a backbone router IP address of 192.168.P.1 in the Default Gateway field. 
(where P = pod number) 


5. Click Continue. 


Complete the following sub-steps from the Configuration>Quick>Protocols window: 


1. Deselect the PPTP check box. 
2. Deselect the L2TP check box. 
3. Select the IPSec check box. 


4. Click Continue. 
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Step 8 Click Continue until Quick Configuration is complete. 
Step 9 Save the changes. 


Step 10 Do not close Internet Explorer. Proceed to the next topic. 


Task 5—Configure Network Lists 


Configure Concentrator Network Lists. In most networks there are multiple subnets at both ends 
of the VPN tunnel. A network list must be configured at both ends of the tunnel to talk between 
subnets through the VPN tunnel. Complete the following steps to define which local and remote 
network IP addresses are available at each end of the tunnel: 


Step 1 Build a local network list by completing the following sub-steps: 


1. From the Configuration menu tree, drill down to Policy Management>Traffic Management> 
Network Lists. 


2. Click Add. 


3. Click Generate Local List and answer the following question: 


Ql) What IP addresses appear in the Network List field? 


A) 


4. Enter a unique name in the List Name field (for example, podP). 
(where P = pod number). 


5. Click Add. 


Step 2 Build a remote network list by completing the following sub-steps: 


1. From the Configuration menu tree, drill down to Policy Management>Traffic Management> 
Network Lists window, click Add. 


2. Enter a meaningful remote city name or building name in the List Name field (for example, 
podQ). 
(where Q = peer pod number) 


3. Enter the following IP address and wildcard mask for the remote private network: 
10.0.Q.0/0.0.0.255. 
(where Q = peer pod number) 


4. Click Add. 


Step 3 Save the configuration changes. 


Task 6—Configure the Cisco VPN 3000 Series Concentrator LAN-to- 
LAN Parameters 


In this topic you will configure the LAN-to-LAN parameters of the Concentrator using the LAN- 
to-LAN wizard. Complete the following steps to configure Concentrator LAN-to-LAN 
parameters: 
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Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 
Step 7 
Step 8 


From the Configuration menu tree, drill down to System>Tunneling Protocols> IPSec>IPSec 
LAN-to-LAN. 


Click Add. 


The IPSec LAN-to-LAN window is composed of three sections. The top section prompts you for 
information about the public network. The peer refers to the public interface address of a remote 
Concentrator (the address of the other end of the tunnel). In the middle and bottom sections of 
the window, you configure the addresses of the private networks at both ends of the tunnel. The 
local network is your private network (the host address is 0). The remote network is the private 
network of the remote peer (the host address is 0). 


Complete the following sub-steps to configure the IPSec LAN-to-LAN connection: 


1. Enter a name: podP. 
(where P = pod number) 


2. Enter a peer Concentrator public interface IP address of 192.168.Q.5 (where Q = peer pod 
number). This is the IP address of the remote Concentrator public interface. 


3. Enter a pre-shared key: training. 
4. Leave all other fields at their defaults and go to the local network section of the window. 


Apply the local network list previously configured in this lab. In the Local Network section of 
the window, choose the correct local network list from the Network List drop-down menu (for 
example, podP). 


Apply the remote network list previously configured in this lab. In the Remote Network section 
of the window, choose the correct remote network list from the Network List drop-down menu 
(for example, podQ). 


Click Add. 
Click OK. 


Save the configuration changes. You have successfully configured an IPSec LAN-to-LAN tunnel 
using the IPSec LAN-to-LAN configuration wizard. Wait for the team at the peer pod to finish 
before proceeding. Do not log out of the Concentrator. 


Task 7—Verify the Cisco VPN 3000 Series Concentrator LAN-to-LAN 
Connectivity 


Step 1 


Step 2 


Complete the following steps to verify the LAN-to-LAN tunnel connections: 


Ping your peer Concentrator private interface at 10.0.Q.5 (where Q = peer pod number) using the 
Administration menu tree ping function. If the LAN-to-LAN wizard was configured correctly, 
the Cisco VPN 3005 Concentrator will build an IPSec tunnel based on the student supplied 
network information and the default IKE and IPSec templates. View the results. 


From the Monitoring menu tree, drill down to Sessions and answer the following questions: 
Q2) Isa LAN-to-LAN session established? 


A) 


Q3) What is the name of the connection? 
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A) 
Q4) What is the IP address? 


A) 
Q5) — What protocol is used? 


A) 


Q6) Which encryption scheme is used? 


A) 


Step 3 Log out of the Concentrator. Close Internet Explorer. 
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Configure the Cisco VPN 3000 
Series Concentrator for LAN-to- 
LAN with NAT 


Overview 


This lesson includes the following topics: 
m Objectives 
m LAN-to-LAN NAT overview 


= Configuring the Concentrator LAN-to-LAN NAT feature 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
RM MMMM ~SSSS*«SCO.com 


Upon the completion of this lesson, you will 
be able to perform the following tasks: 


¢ Configure the static LAN-to-LAN NAT rule. 
¢ Enable NAT rules. 
* Monitor LAN-to-LAN NAT statistics. 
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LAN-to-LAN NAT Overview 


This topic presents an overview of the LAN-to-LAN Network Address Translation (NAT) 
feature. 


Addressing Issue 
Sassoon nvatadandliiassaetatamalai Cisco.com 


10.10.10.4 


14.11.11.23 


14.11.11.23 


—_—— i Return to 
10.10.10.4 


In the figure, there are two sites, site A and site B. Site A has one subnet 10.10.10.0/24. Site B 
has two subnets, 10.10.10.0/24 and 11.11.11.0/24. A PC at site A wants to access server B2. A 
PC packet is addressed to 11.11.11.23 and forwarded through the Cisco Virtual Private Network 
(VPN) 3000 Series Concentrators to server B2. From the remote end, the remote server responds 
to the PC’s packet. Server B2 addresses the reply packet to 10.10.10.4/24. The issue is: what 
happens to server B2 reply packet. The packet is sent to the router. The router recognizes the 
destination IP address as a local address and sends the packet to the 10.10.10.0 network at site B. 
The packet is never routed to the PC at Site A. 
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The issue can be resolved with Network Address Translation (NAT). The PC’s source address is 
translated into a routable address. In the figure, the PC’s source address is translated by 
Concentrator A to IP address 20.20.20.4/24 and forwarded to server B2. Server B2 replies with a 
packet addressed to IP address 20.20.20.4/24. The 20.20.20.4/24 IP address is routable by both 
site B’s router and Concentrator. Back at site A, the reply packet is translated back to 
10.10.10.4/24 by Concentrator A. Concentrator A then forwards the packet to the PC. NAT 
translation resolved the remote end routing issue by performing NAT at the local end, site A. 


The next issue is: what happens if the PC on site A wants to communicate with server B1, 
10.10.10.14/24. In the figure, there are overlapping addresses at both ends of the circuit. 
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Overlapping Address Space 
a Cisco.com 


0.10.10.14 


10.10.10.4 


B2 


14.11.11.23 


In the figure, both Site A and B are using the 10.10.10.0/24 address space. The way the network 
is currently configured the traffic between the Site A PC and server B2 cannot be routed. Such 
conflicts can be resolved by renumbering networks, but this solution is usually undesirable at 
best. Configure the Concentrators to perform NAT, and the Concentrators provide a solution to 
this problem. NAT enables the Concentrators to translate the overlapping network addresses at 
both ends of the tunnel. Enabling the Concentrators to route traffic between the networks. 
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The Issue 
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If the Site A PC attempts to access the server B2 using the server’s IP address of 10.10.10.14/24, 
the attempt will fail. Concentrator A considers the destination IP address of 10.10.10.14/24 a 
local address and will not route the packet. The same is true at site B. If server B attempts to 
route a packet to the PC at IP address of 10.10.10.4/24, Concentrator B considers the destination 
IP address of 10.10.10.4/24 a local address and will not route the packet. The solution is NAT at 
both ends of the tunnel. The administrator can configure NAT rules in both Concentrators to 
make the routing possible. When a packet passing through the Concentrator matches a NAT 
rule, it is translated. A NAT session is created. Subsequent matching packets being passed are 
translated in accordance with this NAT session and receive the same translated IP address. The 
maintenance of NAT sessions allows the concentrator to maintain address and port continuity 
within a protocol session. NAT sessions expire and are deleted if they are not used for a period 
of time. 
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Both Concentrators implement Network Address Translation (NAT) to route the packets end-to- 
end. In the figure, site A Concentrator performs NAT on the PC’s source IP address. 
Concentrator A translates the PC’s source IP address of 10.10.10.4/24 to a 20.20.20.4/24 IP 
address. Concentrator A routes the packet to site B. Concentrator B delivers the packet to server 
B with a source IP address of 20.20.20.4/24. At site B, server B replies by sending a packet to 
the PC, destination IP address 20.20.20.4/24. Concentrator B receives the packet and routes it 
through the Internet to Site A. At Site A, if left un-translated, the packet is non-deliverable. The 
destination IP address of 20.20.20.4/24 is not located on the local LAN at Site A. The 
destination IP address of the packet must be translated. Concentrator A is configured to translate 
any packet with a destination IP address of 20.20.20.4/24 to IP address 10.10.10.4/24. After 
translation, the packet is successfully routed to the PC. 
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Site B NAT 


ey Cisco.com 


10.10.10.14 


NAT | 
S: 30.30.30.14 0 mum == S: 30.30.30.14 | HS: 10.10.10.14 


On the previous page, the PC’s source IP address of 10.10.10.4 was translated by Concentrator 
A. With overlapping addresses at both ends of the network, translation is performed at both ends 
of the network. In this figure, server B IP address of 10.10.10.14 is translated to 30.30.30.14. If 
PC A attempted to send a packet to server B IP address 10.10.10.14/24, Concentrator A would 
drop the packet. Concentrator A considers 10.10.10.14/24 a local host. To overcome the local 
host issue, PC initiates a session with server B using a destination IP address of 30.30.30.14/24. 
The network administrator assigned an IP address of 30.30.30.14/24. Concentrator A routes the 
packet to site B. To deliver the packet to server B, the destination IP address of a packet, 
30.30.30.14/24, must be translated to server B’s IP address of 10.10.10.14/24. The translation is 
from a destination IP address of 30.30.30.14/24 to server B’s IP address of 10.10.10.14/24. Once 
translated, the packet is routed to the server B2. A Network Address Translation (NAT) session 
is established. In the reverse direction, when a server B packet with the source address of 
10.10.10.14/24 reaches Concentrator B, the source IP address is translated to 30.30.30.14/24. 
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LAN-to-LAN NAT Summary 
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This figure summarizes the LAN-to-LAN Network Address Translations (NATs) taking place in 
the network. The top section displays the bidirectional traffic and the associated translations. 


The bottom section displays a translation table. The following table details Concentrator A and 
Concentrator B address translations: 


Concentrator 


Concentrator A 


10.10.10.4/24 


Native IP Address 


20.20.20.4/24 


Translated IP Address 


Concentrator B 


10.10.10.14/24 


30.30.30.14/24 
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Configure the Cisco VPN 3000 Series Concentrator for LAN-to-LAN with NAT 


16-9 


Configuring the Concentrator LAN-to-LAN NAT 
Feature 


16-10 


This topic presents an overview of how to configure the LAN-to-LAN Network Address 
Translation (NAT) feature. Configuring LAN-to-LAN NAT is a three-step process: configure 
the LAN-to-LAN rule, enable the rule, then tie the translated addresses to the Concentrator. 
Configuring the LAN-to-LAN rule is covered first. 


LAN-to-LAN NAT Rule Types 


Cisco.com 


\ 


I 
7 / 
‘ , 
en Internet 
! 
1 — 


10.10.10.X ——— > 20.20.20.X 30.30.30.14——>10.10.10.14 
Static NAT Static NAT 


Save Needed&) 


Modify a LAN-to-LAN NAT rile. 


ee Static: maps source IP addresses to translated IP addresses on a one-to-one basis 
NAT Rule Static mappings apply to both inbound and outbound traffic 
NAT Type © Dynamic Dynamic: maps source IP addresses to one of a pool of available translated IP 
Types addresses. Dynamic mappings apply to outbound traffic only. 
CPAT ae Dynamic mapping with Port Address Translation PAT applies to outbound traffic 
only. 
Source Network: specifies the source IP address and wildcard mask to be translated. 
Translated Network: specifies the translated IP address and wildcard mask for the Local Network. It is the local address of the 
LAN-to-LAN connection 
Remote Network: species the destination TP address and wildcard mask for which this rule applies, To allow any remote network, set IP 
address/wildcard mask to 0.0.0.0/255.255.255.255. Itis the remote address of the LAN-to-LAN connection. 
Source and Source Network Translated Network Remote Network 


Translated IP Address [10.10.10.0 :  [f0.20.20.0 > feo. 
Addresses Wildcard Mask [o.0.0.255 : [o-o.0.25s -> 255.255.255.255 
Apply | | cancel 
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There are two elements to define to configure a LAN-to-LAN Network Address Translation 
(NAT) rule. The administrator defines the NAT rule type, whether the Concentrator applies a 
static, dynamic, or PAT rule. Once the rule is selected, the next step is to configure the source 
address and the translated address. What is source address and what is the translated address? 
NAT tule type is covered first. 


There are three types of LAN-to-LAN NAT rules types, static, dynamic, and PAT. An 
explanation of the LAN-to-LAN rule types is as follows: 


Static Translation Rules—Define one-to-one address mappings between networks. These rules 
have the following characteristics and restrictions: 


m When the user configures a static translation rule, the specified local network must be the 
same class as the mapped network. 


m When a packet is translated based on a static rule, port mappings are never being performed. 


m Inthe Concentrator, all static rules are bidirectional. 
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Static rules are needed if servers are made available to a remote overlapping network. In the 
figure, at server at the site B is made available to PCs at site A. One-to-one NAT is performed. 
At the local end, a PC address of 10.10.10.X/24 is translated to an IP address of 20.20.20.X/24. 
At the remote end, an IP address of 30.30.30.14/24 is translated to 10.10.10.14/24, one-to-one 
mapping (not shown). 


Dynamic translation rules—Map a local network to either a smaller network or to a single 
address. Dynamic translation may also alter the source or destination port of the packet being 
translated. These rules are most often applied to outbound traffic. Since, a remote host could not 
predict the mapped address of a dynamically mapped local host, inbound rules are generally not 
useful. Dynamic rules are usually applied to networks in which local and mapped addresses are 
of different classes, (for example, Class B and C IP addresses). 


PAT translation rules—PAT LAN-to-LAN NAT rules are dynamic rules with Port Address 
Translation (PAT). PAT rules apply to outbound traffic only. 


Notice that in this example, translation happens at both ends of the LAN-to-LAN connection. 
LAN-to-LAN NAT rules are configured in both Concentrators. There is one rule and set of 
addresses configured at one end and another rule with addresses configured at the opposite end. 


NAT tule addressing is discussed later in this lesson. 
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Site A LAN-to-LAN NAT Configuration 
; Site A Site B : 


Ve 
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‘« Internet 


D: 20.20.20.4 


Modify a LAM to LAN NAT male. 


© Static Static: maps source IP addresses to translated IP addresses on a one-to-one basis 
Static mappings apply to both inbound and outbound traffic. 

Dynamic: maps source LP addresses to one ofa pool of available translated LP 
addresses. Dynamic mappings apply to outbound traffic only. 

PAT: Dynamic mapping with Port Address Translation. PAT applies to outbound traffic 
only. 


NAT Type © Dynamic 


PAT 


Source Network: specifies the source IP address and wildcard mask to be translated. 

Translated Network: specifies the translated IP address and wildcard mask for the Local Network. It is the local address of the 
LAN-to-LAN ronnertion 

Remote Network: specifies the destination IP address and wildcard mack for which this rule applies. To allow any remote network, set P 
addressfwildcard mask to 0,0.0,0/255.255.255.255, Iris the remote address of the LAN-to-LAN connection 


Source Network Translated Network Remote Network 


TP Address ]10.10,10.0 f 20.20.20.0 - [o.0.0.0 


Wildcard Mask [0.0.0.255 : [e.0.0.255 ->  fess.255.255.255 


Apply Cancel 
0S 


Once a NAT rule type is selected, the source and translated IP address are configured. The 
source network is the IP address of the local network. It is the source IP address and wildcard 
mask. The translated network is the address the source IP address is translated to. This is the 
translated IP address and wildcard mask. In the figure, a PC user on Site A is accessing a server 
on Site B. There is address overlap between the two private networks. The administrator is 
defining LAN-to-LAN NAT addressing rules for Concentrator A. The Concentrator is 
configured to translate the PC’s 10.10.10.4/24 IP address to 20.20.20.4/24. Concentrator A’s 
LAN-to-LAN NAT rule configuration is as follows: 


m NAT Type—Static LAN-to-LAN NAT rules map source IP addresses to translated IP 
addresses on a one-to-one basis. Static rules apply both to inbound traffic, which is traffic 
received over a tunnel and outbound traffic, which is traffic entering the tunnel. 


m= Source Network—Local IP address, 10.10.10.0, and wildcard mask, 0.0.0.255. All the hosts 
on the 10.10.10.0 network. 


m Translated Network—Translated IP address, 20.20.20.0 and wildcard mask, 0.0.0.255. The 
source address is translated one-to-one. For example, source IP address 10.10.10.4/24 is 
translated to 20.20.20.4/24. 


m Remote Network—Destination IP network and wildcard mask for this LAN-to-LAN 
connection. This is the destination IP address for a specific remote LAN-to-LAN 
connection. This rule is applied only to packets bound for this address space. For example, 
there are multiple remote sites in a network sites B, C, and D. If the LAN-to-LAN NAT rule 
only applied to packets bound for site C. The administrator would define the address of site 
C in the remote network field. Remote network is not used in this example. 
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Site B LAN-to-LAN NAT Configuration 
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GSuas Static: maps source IP addresses to translated TP addtesses on a one-to-one basis 
Static mappings apply to both inbound and outbound trafic 
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NAT Type © Dynamic yynamic: map: P 
biden addresses. Dynamic mappings apply to outbound traffic only. 
CPAT PAT: Dynamic mapping with Port Address Translation. PAT applies to outbound traffic 
only. 
Source Network: specifies the source IP address and wildcard mask to be translated. 
Translated Network: specifies the translated IP address and wildcard mask for the Local Network. It is the local address of the 
LAN-to-LAN connection 
Remote Network: specifies the destination TP address and wildcard mask for which this rule applies. To allow any remote network, set IP 
address/wildcard mask to 0.0.0.0/255.255.255.255. Itis the remote address of the LAN-to-LAN connection. 
Source Network Translated Network Remote Network 


TP Address |10.10,10.14 i 30.30.30.14 > = |o.0.0.0 


Wildcard Mask [0.0.0.0 t 0.0.0.0 -> = 255.255.255.255 


Add Cancel 
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In the figure, translation takes place at both ends of the LAN-to-LAN connection. The 
Concentrator A’s Network Address Translation (NAT) rules were configured on a previous 
page. The administrator is now defining LAN-to-LAN NAT rules for Concentrator B. The 
Concentrator is configured to translate a destination IP address of 30.30.30.14/24 to IP address 
10.10.10.14/24. Concentrator B’s LAN-to-LAN NAT rule configuration is as follows: 


m NAT Type—Static LAN-to-LAN NAT rules map source IP addresses to translated IP 
addresses on a one-to-one basis, 10.10.10.14/24 to 30.30.30.14/24. Static rules apply both to 
inbound traffic, which is traffic received over a public interface and outbound traffic, which 
is traffic bound for a public interface. 


m= Source Network—Server B IP address, 10.10.10.4/24, and wildcard mask, 0.0.0.0. A 
specific server on the 10.10.10.0/24 network is referenced. 


m Translated Network—Translated IP address, 30.30.30.14 and wildcard mask, 0.0.0.0. IP 
address 30.30.30.14/24 is the translated IP address for server B. 


m= Remote Network—A destination IP network and wildcard mask for this LAN-to-LAN 
connection is not used. 
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Enable NAT 
ey Cisco.com 


This section lets you enable system-wide NAT rules. 


Interface NAT Rules Enabled [ Check to enable NAT miles on interfaces. 
LAN-to-LAN Tunnel NAT Rule Enabled M Check to enable NAT rules on LAN-to-LAN tunnels. 


Apply | Cancel | 


The second step is to enable LAN-to-LAN Network Address Translation (NAT). Choose 
Configuration>Policy Management>Traffic Management>NAT>Enable. The Enable 
window opens. Select the LAN-to-LAN Tunnel NAT Rule Enabled check box to enable NAT 
rules for LAN-to-LAN connections, or deselect it to disable these NAT rules. By default, the 
check box is deselected. It is recommended that you configure LAN-to-LAN NAT rules before 
you enable the function. The administrator can change NAT rules while NAT is enabled. Doing 
so affects subsequent sessions, but not current sessions, as long as the changed rule still allows 
current sessions; if it does not, traffic will stop. 
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Concentrator Network Lists—Site A 
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The NAT rule types were selected, NAT rules were defined, and the LAN-to-LAN Tunnel NAT 
rule was enabled. The last step is to tie the translated addresses to the Concentrator. The 
Concentrator must know how to route the translated addresses. The translated addresses are 
defined at their respective ends of the tunnel with network lists. Concentrator A needs to know 
that 10.10.10.0/24 and 20.20.20.0/24 are considered to be local addresses. 30.30.30.0/24 is 
considered to be a remote address. To reach 30.30.30.0/24 from site A, traffic is routed down a 
LAN-to-LAN tunnel between site A and site B. The two network lists are defined and applied to 
the IPSec LAN-to-LAN tunnel. Once defined, PC packets can be routed from site A to the server 
on site B. 


In the figure, two network lists are defined. At site A, local and remote network address lists are 
defined. The local list includes network 10.10.10.0 and 20.20.20.0. A remote network list 
includes network 30.30.30.0. These lists aid the Concentrator in making LAN-to-LAN tunnel 
routing decisions. Which networks are local and which networks can be reached through the 
tunnel, remote network list? 


The network information is also configured at site B (not shown). Site B network list 
information is discussed later in this lesson. 
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Concentrator Network Lists—Site B 
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The NAT rule types were selected, NAT rules were defined, and the LAN-to-LAN Tunnel NAT 
rule was enabled. The last step is to tie the translated addresses to the Concentrator B. 
Concentrator B must know how to route the translated addresses. Concentrator B needs to know 
that 10.10.10.0/24 and 30.30.30.0/24 are considered to be local addresses. 20.20.20.0/24 is 
considered to be a remote address. To reach 20.20.20.0/24 from site B, traffic is routed down a 
LAN-to-LAN tunnel between site B and site A. The two network lists are defined and applied to 
the IPSec LAN-to-LAN tunnel. Once defined, PC packets can be routed from site B to the PC on 
site A. 


In the figure, two network lists are defined at each end of the tunnel. At site B, local and remote 
network address lists are defined. The local list includes network 10.10.10.0 and 30.30.30.0. A 
remote network list includes networks and 20.20.20.0. These lists aid the Concentrator in 
making LAN-to-LAN tunnel routing decisions. Which networks are local and which networks 
can be reached through the tunnel, remote network list? 
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LAN-to-LAN NAT Statistics 
ee Cisco.com 
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Choose Monitoring>Statistics>NAT. The NAT window opens to view NAT statistics. The 
window displays statistics for NAT activity on the Concentrator since it was last booted or reset. 
An explanation of the NAT statistics fields is as follows: 


m Packets In/Out—The total of NAT packets inbound and outbound since the last time the 
Concentrator was rebooted or reset. 


m Translations Active—The number of currently active NAT sessions. 


m Translations Peak—The maximum number of NAT sessions that were simultaneously active 
on the Concentrator since it was last booted or reset. 


= Translations Total—The total number of NAT sessions on the Concentrator since it was last 
booted or reset. 


m NAT Sessions—The following topics provide detailed information about active NAT 
sessions on the Concentrator: 


— Source IP Address/Port—The source IP address and port for the NAT session. 
— Destination IP Address/Port—The destination IP address and port for the NAT session. 
— Translated IP Address/Port—The translated IP address and port for the NAT session. 


The Concentrator uses this port number to keep track of which devices initiate data 
transfer; by keeping this record, the Concentrator is able to correctly route responses. 
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—  Direction—The direction, inbound or outbound, of the data transferred for the NAT 
session. 


— Age—The number of half seconds remaining until the NAT session times out. 


In the figure, the PC is pinging the remote server, 10.0.6.5. The PC needs to address packets to 
30.30.30.5 to access the remote server. This is the address supplied by the network 
administrator. In the statistics window, there are 4 packets in and 4 packets out. This represents 
1 NAT session. In the NAT session statistics at the bottom of the window, the address of the PC 
is the source address, 10.0.1.15. The destination address of the server is the address supplied by 
the IT administrator, 30.30.30.5. Concentrator A will translate the PC source address of 
10.0.1.15 to 20.20.20.15. Therefore, the translated address is 20.20.20.15. The translation occurs 
in the outbound direction, from PC to Concentrator A. 


16-18 Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


Summary 


This topic summarizes what you learned in this lesson. 


Summary 
ia ae | Cisco.com 


¢ LAN-to-LAN NAT translates overlapping private 
network address spaces. 


* There are two translation rule types: static and 


dynamic. 
¢ LAN-to-LAN rules should be configured first. 
¢ LAN-to-LAN rules should be enabled next. 
° Tie a translated address to a Concentrator. 
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Lab Exercise—Configure the Cisco VPN 3000 
Series Concentrators for NAT over LAN-to-LAN 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


Your task in this lab exercise is to configure one end of a LAN-to-LAN Virtual Private Network 
(VPN) while another team completes the same tasks at a remote site. Work with your lab partner 
to complete the following tasks on your side of the LAN-to-LAN VPN: 

m Complete the lab exercise setup. 

m Verify the Cisco VPN 3000 Series Concentrator LAN-to-LAN connectivity. 

m Configure the LAN-to-LAN NAT rules. 

= Configure network lists. 


m Verify the Cisco VPN 3000 Series Concentrator LAN-to-LAN connectivity. 


= Create and monitor a LAN-to-LAN NAT session. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 
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192.168.P.0 


Translation 
IPaddress: Je 
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Pods 6-10 


RBB  192.168.Q.0 


Translation 
IP address: 


Y  30.30.30.0/24 


Student PC 


© ris Web 


10.0.Q.15 


Scenario 


Your company wants you to implement a VPN between the world headquarters campus site and 
the remote sales offices using Network Address Translation (NAT) over a LAN-to-LAN tunnel. 

You must configure the Cisco VPN 3000 Series Concentrators for LAN-to-LAN tunneling using 
NAT. 


Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify your equipment is setup as follows: 
m Ensure that your student PC is powered on. 
m Ensure that your student IP addresses are configured correctly: 


— Primary IP address—10.0.P.15 
(where P = pod number) 


— Subnet mask—255.255.255.0 


— Default gateway IP address—10.0.P.5 
(where P = pod number) 
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m= Ensure that your Concentrator is powered on. 


Task 2—Verify the Cisco VPN 3000 Series Concentrator LAN-to-LAN 
Connectivity 


Step 1 
Step 2 


Step 3 


Step 4 


Step 5 


Before configuring the LAN-to-LAN NAT rules, verify a tunnel can be established between 
Concentrators. Complete the following steps to verify the LAN-to-LAN tunnel connections: 
Launch Internet Explorer by double-clicking the desktop icon. 


Enter a Concentrator private interface IP address of 10.0.P.5 in the Internet Explorer Address 
field (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 Concentrator 
Series Manager. 


Log into the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 
Login: admin 
Password: admin 


The username (login) and password are always case sensitive. 


Ping your peer Concentrator private interface at 10.0.Q.5 (where Q = peer pod number) using the 
Administration menu tree ping function. If the LAN-to-LAN wizard was configured correctly, 
the VPN 3005 will build an IPSec tunnel based on the student supplied network information and 
the default IKE and IPSec templates. View the results. 


From the Monitoring menu tree, drill down to Sessions and answer the following questions: 
Ql) Is the LAN-to-LAN session established? 


A) 


Task 3—Configure the LAN-to-LAN NAT Rules 


Step 1 


In this lab exercise, translation is performed at both ends of the tunnel. To accomplish this, NAT 
rules must be defined, NAT rules must be enabled, and translation addresses applied to LAN-to- 
LAN tunnel. The first step is to configure LAN-to-LAN NAT rules. One NAT rule is configured 
in each Concentrator. The exact IP addresses to enter depends on the location of the 
Concentrator. Pods 1—5 enter a translation IP address of 20.20.20.0/0.0.0.255. You will perform 
step 1. Pods 6-10, use translation IP address of 30.30.30.0/0.0.0.255. You will perform step 2. 
Configure and enable the LAN-to-LAN rule for your pod. 


m For pods 1-5, complete step 1. 


m For pods 6—10, complete step 2. 


For pods 1-5, complete the following sub-steps to build the correct NAT rule. From the 
Configuration menu, drill down to Policy Management>Traffic Management>NAT>LAN-to- 
LAN NAT Rules. The Configuration>Policy Management>Traffic Management>NAT>LAN- 
to-LAN Rules window opens. 


1. Under the Actions column click Add. The Configuration>Policy Management>Traffic 
Management>NAT>LAN-to-LAN Rules>Add window opens. 
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8. 


9. 


Under NAT type, select Static. 


Configure the Source Network IP address and wildcard mask fields. 


IP address—10.0.P.0 
(where P = pod number) 


Wildcard mask—0.0.0.255 


Configure the correct translation IP address for your end of the tunnel. If you are located at 
pods 1—5, enter the following in the Translated IP address and wildcard mask fields: 


IP address—20.20.20.0 


Wildcard mask—0.0.0.255 
Click Add. 


From Configuration, drill down to Policy Management>Traffic Management>NAT> 
Enable. The Enable window opens. 


Select LAN-to-LAN Tunnel NAT Rule Enabled. 
Click Apply. 


Save the changes. 


10. Proceed to Task 4. 


Step 2 For pods 6—10, complete the following sub-steps to build the correct NAT rule. From the 
Configuration menu, drill down to Policy Management>Traffic Management>NAT>LAN-to- 
LAN NAT Rules. Configuration>Policy Management>Traffic Management>NAT>LAN-to- 
LAN Rules window opens. 


1. 


Under the Actions column click Add. The Configuration>Policy Management>Traffic 
Management>NAT>LAN-to-LAN Rules>Add window opens. 


Under NAT type, select Static. 


Configure the Source Network IP address and wildcard mask fields. 


IP address—10.0.P.0 
(where P = pod number) 


Wildcard mask—0.0.0.255 


Configure the correct translation IP address for your end of the tunnel. If you are located at 
pods 6-10, enter the following in the Translated IP address and wildcard mask fields: 


IP address—30.30.30.0 


Wildcard mask—0.0.0.255 
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8. 


9. 


Click Add. 


From Configuration, drill down to Policy Management>Traffic Management>NAT> 
Enable. The Enable window opens. 


Select LAN-to-LAN Tunnel NAT Rule Enabled. 
Click Apply. 


Save the changes. 


10. Proceed to task 4. 


Task 4—Configure Network Lists 


In a previous lab, you defined network lists for both ends of the LAN-to-LAN tunnel. In this 
task, modify each list to include the translation IP address. The two translation addresses are 
20.20.20.0 and 30.30.30.0. It is important to add each IP address to the correct network list. For 
pods 1-5, IP address 20.20.20.0 is a local address and 30.30.30.0 is a remote address. For pods 
6—10, IP address 30.30.30.0 is a local address and 20.20.20.0 is a remote address (If confused, 
viewing the visual objective at the beginning of this lab may help.) Complete the following steps 


to add the local and remote translation addresses to the proper network list: 


For pods 1—5, complete step 1. 


For pods 6—10, complete step 2. 


Step 1 For pods 1-5, complete the following sub-steps to build a local network list: 


1. 


From the Configuration menu tree, drill down to Policy Management>Traffic Management> 
Network Lists. 


Under Network List column, select podP (your local network list). 
(where P = pod number) 


Click Modify. 
Under Network Lists, enter 20.20.20.0/0.0.0.255. 


Click Apply. 


Under Network List column, select podQ (your remote network list). 
(where Q = peer pod number) 


Click Modify. 
Under Network Lists, enter 30.30.30.0/0.0.0.255. 


Click Apply. 
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m Save the configuration changes. 
4. Proceed to task 5. 


Step 2 For pods 6—10, complete the following sub-steps to build a local network list: 


5. From the Configuration menu tree, drill down to Policy Management>Traffic 
Management>Network Lists. 


6. Under the Network List column, select podP (your local network list). 
(where P = pod number) 


m Click Modify. 
m Under Network Lists, enter 30.30.30.0/0.0.0.255. 


m Click Apply. 


7. Under Network List column, select podQ (your remote network list). 
(where Q = peer pod number) 


m Click Modify. 
m Under Network Lists, enter 20.20.20.0/0.0.0.255. 
m Click Apply. 


m Save the configuration changes. 


8. Proceed to task 5. 


Task 5—Verify the Cisco VPN 3000 Series Concentrator LAN-to-LAN 
Connectivity 


After completing the LAN-to-LAN NAT configuration changes, verify a tunnel can still be 
established between Concentrators. Complete the following steps to check the LAN-to-LAN 
tunnel connections: 


Step 1 Open a Command Prompt from the desktop icon on your student PC and ping the translated 
address of your peer’s student PC continuously. 


Note If necessary, disconnect any previously established LAN-to-LAN tunnels. 


m For pods 1-5, use the following: C:\ ping 30.30.30.15 -t 


m For pods 6-10, use the following: C:\ ping 20.20.20.15 -t 


Step 2 View the results. 


Step 3 From the Monitoring menu tree, drill down to Sessions and answer the following questions: 
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Q2) Isa LAN-to-LAN session established? 


A) 


Task 6—Monitor a LAN-to-LAN NAT Session 


Step 1 


Step 2 


Step 3 
Step 4 


Step 5 


Step 6 


Step 7 


Step 8 
Step 9 


In this task, you will open a LAN-to-LAN NAT session with your peer’s student PC. By 
continuously pinging your peer’s student PC address, you create a NAT session through the 
LAN-to-LAN tunnel. Complete the following steps to create and monitor a LAN-to-LAN NAT 
session: 


From Monitoring menu tree, drill down to Statistics> NAT. The Monitoring> Statistics> NAT 
window opens. 


Click Reset in the Monitoring>Statistics> NAT window. Leave this Internet Explorer window 
open. 


Click Refresh in the Monitoring>Statistics>NAT window. NAT session statistics appear. 


Answer the following questions from the Packets and Translations statistics fields: 


Q3) | How many packets went in and out? 


A) 


Q4) How many total translations were there? 


A) 


Answer the following questions from the NAT Sessions statistics fields: 
Q5) — What is the Source IP address? 


A) 
Q6) What is the Destination IP address? 


A) 
Q7) — What is the Translated IP address? 


A) 
Q8) What is the NAT Session Direction? 


A) 


Return to the Command Prompt window and stop the continuous ping by clicking Control + C 
on the student PC. 


Return to the local Cisco VPN 3000 Concentrator Series Manager window. From Configuration, 
drill down to Policy Management>Traffic Management> NAT>Enable. The Configuration> 
Policy Management>Traffic Management> NAT>Enable window opens. 


Deselect LAN-to-LAN Tunnel NAT Rule Enabled. 
Click Apply. 
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Step 10 Save the changes. 
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Configure the Cisco Virtual 
Private Network 3000 Series 
Concentrator for LAN-to-LAN 
Using Digital Certificates 


Overview 


This lesson discusses how to configure the Cisco Virtual Private Network (VPN) 3000 Series 
Concentrator for LAN-to-LAN using the Simple Certificate Enrollment Protocol (SCEP). After 
presenting an overview of the SCEP process, the lesson shows you each major step of the 


configuration. This lesson includes the following topics: 


Objectives 

SCEP support overview 

Root certificate installation 
Identity certificate installation 
Summary 


Lab exercise 


Objectives 


This topic lists the lesson’s objectives. 


Objectives 
RM MMMM ~~S!S*S*«SCO.com 


Upon completion of this lesson, you will be 
able to perform the following tasks: 

¢ Explain the purpose of SCEP. 

¢ Explain how root certificates are installed via SCEP. 


* Explain how identity certificates are installed via 
SCEP. 


* Configure the Concentrator for LAN-to-LAN support 
with digital certificates. 
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SCEP Support Overview 


With a certificate authority (CA), you do not need to configure keys between all of the 
encrypting IPSec peers. Instead, each individual peer enrolls with the CA and requests a 
certificate. When this has been accomplished, the peers can exchange certificates during tunnel 
establishment. 


In the Cisco Virtual Private Network (VPN) 3000 Series Concentrator, there are two enrollment 
methods: manual and automated. With the manual process, there are a significant number of 
steps to perform before a certificate can finally be imported into the Concentrator. Using the 
Simple Certificate Enrollment Protocol (SCEP), the process is streamlined and simplified. 


CA Server Fulfilling Requests from 
IPSec Peers 


Cisco.com 


Each IPSec peer individually enrolls with the CA 
server. 


This topic covers how certificates are generated and transferred between a CA and the 
Concentrator via SCEP. 
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SCEP-Based Enrollment 
ey Cisco.com 


Certificate 
server 


Public key technology is becoming more widely deployed. With the use of public key 
certificates in network security protocols, comes the need for a certificate management protocol 
that Public Key Infrastructure (PKI) clients and CA servers can use to support automated 
certificate enrollment. The goal of the Simple Certificate Enrollment Protocol (SCEP) is to 
support the secure issuance of certificates to network devices in a scalable, more streamlined 
manner. SCEP supports automated CA public key distribution and certificate enrollment. 
(SCEP is a secure messaging protocol that requires minimal user intervention). 


This method is quicker and allows you to enroll and install certificates using only the 
Concentrator Manager, but is only available if you are both enrolling with a CA that supports 
SCEP and enrolling via the web. If your CA does not support SCEP or if you do not have 
network connectivity to your CA, then you cannot use the automatic method; you must use the 
manual method. 
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SCEP Loading Process 


Cisco.com 


Certificate 


Load root certificate Certificate 
via SCEP server 


F| 
Load identity certificate 
via SCEP 


Whether you use the automatic or manual method, you follow the same overall certificate 


management procedure: 
Step 1 Install one or more CA certificates. 
Step 2 (Optional.) Enable certificate revocation list (CRL) checking. 
Step 3 Enroll and install identity certificates. 
Step 4 Enable digital certificates on the Concentrator. 


If you have trouble enrolling or installing digital certificates via SCEP, enable a Certificate 
(CERT) event class to assist in troubleshooting. 
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Root Certificate Installation 


This topic explains how to install a root certificate on the Concentrator via SCEP. 


SCEP—Root Certificate 


Cisco.com 


Certificate 


a server 
Request CA certificate |! 


po} Send CA certificate 


Receive CA certificate ae 


Verify CA certificate 


Before any PKI operation can be started, the Concentrator needs to install the CA certificates. 
Complete the following steps to install the CA certificate: 


Step 1 The Concentrator sends a Get CA message to the CA. 
Step 2 The CA returns a CA certificate to the Concentrator. 


Step 3 After the Concentrator receives the CA certificate, the Concentrator authenticates the CA 
certificate. The administrator can also verify the CA certificate out-of-band by comparing the 
Concentrator’s root certificate hash with the root certificate hash registered with the CA 
administrator. When comparing the two hashes, they should match. 
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Certificate Management 
ae Cisco.com 


Refresh® 


This section lets you view and manage certificates on the VPIN 3000 Concentrator. Installation of a CA certificate 
is required before identity and SSL certificates can be installed. 


e Click here to install a CA certificate 
e Click here to enroll with a Certificate Authority 
e Click here to install a certificate 


Certificate Authorities [View All CRL Caches | Clear All CRL Caches ] (current: 0, maximum: 6) 


Subject Issuer Expiration SCEP Issuer Actions 
No Certificate Authorities 


Identity Certificates (current: 0, maximum: 2) 
Subject Issuer Expiration Actions 
No Identity Certificates 


SSL Certificate [Generate ] Note: The public key in the SSL certificate is also used for the SSH host key. 
Subject Issuer | Expiration | Actions 
10.0.1.5 at Cisco Systems, Inc 10.0.1.5 at Cisco Systems, Inc. [05/19/2006 |view! Renew Delete 


Enrollment Status [ Remove All: Errored | Timed-Out | Rejected | Cancelled| In-Progress ] (current: 0 available: 3) 
Subject Issuer Date Use Reason Method | Status Actions 


‘No Enrollment Requests 


2003, Cisco Systems, Inc. Allr ed. CSVPN 4.0—17.9 


The Certificate Manager enables you to manage digital certificates. The links at the top of the 
Certificate Management window guide you step-by-step through the process of enrolling and 
installing certificates: 


m™ Click the Click here to install a CA certificate link to install a CA certificate (via SCEP 
or manually). The Click here to install a CA certificate option is only available from this 
window when no CA certificates are installed on the Concentrator. 


m™ Click the Click here to enroll with a Certificate Authority link to create an identity 
certificate enrollment request. 


m Click the Click here to install a certificate link to install the certificate obtained via 
enrollment. 


The bottom section of the Certificate Management window shows all the certificates installed 
in the Concentrator and lets you view, enable revocation checking, and delete certificates. The 
following four tables are displayed: 


= Certificate Authorities table—Shows root and subordinate CA certificates installed on the 
Concentrator. 


m Identity Certificates table—Shows installed server identity certificates. 
m SSL Certificate table—Shows the Secure Sockets Layer (SSL) server certificate installed 


on the Concentrator. The system can have only one SSL server certificate installed: either a 
self-signed certificate or one issued in a PKI context. 
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m= Enrollment Status table—Tracks the status of active enrollment requests. The number of 
enrollment requests you can make at any given time is limited to the Concentrator’s 
identity certificate capacity. Most Concentrator models allow a maximum of 20 identity 
certificates. For example, if you already have 5 identity certificates installed, you are able 
to create only up to 15 enrollment requests. The Cisco VPN 3005 Concentrator is an 
exception, supporting only 2 identity certificates. Only on the Cisco VPN 3005 
Concentrator can you request a third certificate—even if there are already two certificates 
installed. But the Concentrator does not install this certificate immediately. First, you must 
delete one of the existing certificates. Then you must activate the new certificate to replace 
the one you just deleted. The Concentrator notifies you (by issuing a severity 3 CERT class 
event) if any of the installed certificates are within one month of expiration. 
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Concentrator—SCEP Enrollment 


Procedure 
a Cisco.com 


Refresh® 


‘This section lets you view and manage certificates on the VPN 2002 Hardware Client Tnstallation of a CA rertificate is required 
before identity and SSL certificates can be installed. 


Enter the information needed to retrieve the CA certificate via SCEP. Please wait for the operation to complete. 


http: //10.0.1.10/certsrv/mscep/msce) 


CA Descriptor Required for some PKI configurations. 


Retrieve Cancel 


Installed root 
certificate 
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There are three steps to generate a CA certificate via the Simple Certificate Enrollment Protocol 
(SCEP): 


Step1 Inthe Administration>Certificate management window, click the Click here to install a CA 
certificate link to install a CA certificate via SCEP. The Click here to install a CA certificate 
option is available from this window only when no CA certificates are installed on the 
Concentrator. If you do not see this option, click the Click here to install a certificate link. 


Step 2 In the Administration>Certificate Management>Install>CA Certificate window, click the SCEP 
(Simple Certificate Enrollment Protocol) link. 
Step 3 In the Administration>Certificate Management>Install>CA Certificate>SCEP window, enter 


the URL information of the CA. There is further discussion of the URL field later in this lesson. 
Click Retrieve to retrieve and install a root certificate. If all goes well, the result is an installed 


root certificate. 
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SCEP URL 
ey Cisco.com 


Certificate 
server 


CA server information: 
¢ What is the URL of the CA server? 


¢ Is a descriptor required? 


Enter the information needed to retrieve the CA certificate via SCEP. Please wait for the operation to complete. 


URL [http #/10.0.1.10/certsrv/mscep/msce| 


CA Descriptor Required for some PKI configurations. 
Retrieve Cancel 


In the Administration>Certificate Management>Install>CA Certificate>SCEP window, enter 
the URL location of the CA. 


= URL field—Enter the URL of the CA’s SCEP interface. 


m CA Descriptor field—Some CAs use descriptors to further identify the certificate. If your 
CA gave you a descriptor, enter it here. Otherwise enter a descriptor of your own. Most 
CAs require something in this field, something as simple as xxx. With a Microsoft CA, a 
non-descript entry is required. 


= Retrieve button—Click Retrieve to retrieve a CA certificate from the CA. 


m Cancel—Click Cancel to discard your entries and cancel the request. 


Once the Retrieve button is clicked, the Concentrator sends a get CA message to the CA whose 
location is defined in the URL field. In turn, the CA returns a root certificate to the 
concentrator. Upon receipt of the root certificate, the Concentrator authenticates and installs the 
root certificate. The administrator can view the root certificate from the 
Administration>Certificate Management window. 
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Root Installed 
al Cisco.com 


Refresh®| 


This section lets you view and manage certificates on the VPN 3000 Concentrator. 


Click here to enroll with a Certificate Authority 
© Click here to install a certificate 


Certificate Authorities [View All RL Caches Clear All (RL Caches ] (current: 3, maximurn: 6) 


Subject | Issuer Expiration |SCEP Issuer | Actions 
AUSTIN at TRAINING [AUSTIN at TRAINING [07/29/2005 Yes 


Identity Certificates (current: 0, maximum: 2) 
Subject Issuer | Expiration Actions 
‘No Identity Certificates 


SSL Certificate [Generate ] Note: The public key in the SSL certificate is also used for the SSH host key. 
Subject | Issuer Expiration Actions 
10.0.1.5 at Cisco Systems, Inc. {10. 0.1.5 at Cisco Systems, Inc. 05/19/2006 View| Renew | Delete 


Enrollment Status [Remove AU: Exrored | Timed-OQut | Rejected | Cancelled In-Progress ] (current: 0 available: 3) 
Subject Issuer Date Use Reason Method Status Actions 
‘No Enrollment Requests 
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The Administration>Certificate Management window displays the root certificate in the 
Certificate Authorities section. Under the Certificate Authorities section, there are five 
columns: 


m Subject—A combination of both the Common Name and the Organization (O) from the 
root certificate. 


m= Issuer—A combination of both the Common Name and the Organization (O) from the root 
certificate. 


m = Expiration—The expiration date of the certificate. 


m SCEP Issuer—For an identity certificate to be available for SCEP enrollment, the root must 
first be installed via SCEP. This cell indicates if the certificate is SCEP-enabled: 


— Yes—tThis certificate can issue identity certificates via SCEP. 
— No—This certificate cannot issue identity certificates via SCEP. If you want to use a 
root certificate for SCEP enrollment, but that certificate is not SCEP-enabled, reinstall 


it using SCEP. 


m Actions—Enables you to manage particular certificates. The available actions vary with 
type and status of the certificate: 


— View—View details of this certificate. 
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— Configure—Enable CRL checking for this CA certificate, modify SCEP parameters, or 
enable acceptance of subordinate CA certificates. 


— Delete—Delete this certificate from the Concentrator. 
— SCEP—View or configure SCEP parameters for this certificate. 


— Show RAs—SCEP-enabled CA certificates sometimes have supporting Registration 
Authority (RA) certificates. 


— Hide RAs—Hide the details of the RA certificates. 
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View the Root Certificate 
ay Cisco.com 


Subject —_——— Issuer 
CN=AUSTIN CN=AUSTIN 
OU=VSEC OU=VSEC 
O=TRAINING O=TRAINING 
L=AUSTIN L=AUSTIN 
SP=TX SP=TX 

c=US c=US 


——— Serial Number 63F333F002E5E88845598082B73ED 249 
Signing Algorithm SHA1WithRSA 
Public Key Type RSA (1024 bits) 
Certificate Usage Digital Signature, Non Repudiation, Certificate Signature,CRL Signature 
MDS Thumbprint 38: SF : 42: SE:CO:4F :CE:54:2E:47:29:48:9C:4D:44:17 
SHA] Thumbprint 10:03: 73:53 :F5:48:F7:31:B4:23:40:29:C3:FD:F3:FB:8B:F4:84:93 
——————— Validity 7/28/2003 at 17:29:38 to 7/29/2005 at 17:10:38 
CRL Distribution Point http://austin/CertEnroll/AUSTIN(9). crl 


You can view the root certificate from the Administration>Certificate Management> 
Certificates>View window. The root certificate contains the following information: 


m Subject—The system that uses the certificate, Austin. For a root certificate, the subject and 
issuer are the same. 


m Issuer—The CA that issued the certificate, Austin. 
m Serial Number—lIdentifies the certificate. 


m Signing Algorithm—tThe cryptographic algorithm that the CA or other issuer used to sign 
this certificate. 


m Public Key Type—The algorithm and size of the certified public key. 


m™ Certificate Usage—The purpose of the key contained in the certificate (for example, digital 
signature, certificate signing, non-repudiation, key or data encryption). 


= = Thumbprint—A hash of the complete certificate contents. This value is unique for every 


certificate, and it positively identifies the certificate. If you question the authenticity of a 
root certificate, you can check this value with the issuer. 


m Validity Period—Just like credit cards, certificates are valid from the date of issue to the 
date of expiration. In the example in the figure, the certificate is valid from 2/23/00 to 
2/23/02. 


= CRL Distribution Point—All CRL distribution points from the issuer of this certificate. 
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Identity Certificate Installation 


This topic explains how to install an identity certificate on the Concentrator via SCEP. 


SCEP—ldentity Certificate 
Cisco.com 


i SCEP | 
Certificate 
= server 
Stored SCEP-issued 
root certificate 


* Generate keys ©, 


* Generate andsend i i- Process request 


certificate request ia i — If approved, generate 


identity certificate 


« Store certificate 


— Send request pending 


* Send polling request 


— (Approved) 
« Store certificate 
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Before a Concentrator can start a PKI transaction, it first generates asymmetric key pairs, using 
the selected algorithm the Rivest, Shamir, and Adelman (RSA) algorithm is required in Simple 
Certificate Enrollment Protocol (SCEP). After generating a public and private key, the 
Concentrator starts an enrollment transaction. The Concentrator creates a certificate request 
using Public Key Cryptography Standard #10 (PKCS#10) and sends it to the CA enveloped 
using the PKCS#7. At the CA, the certificate request is processed, and hopefully approved, in 
one of two ways: automatically or manually. The two processes are as follows: 


m Automated approval process—After the CA receives the request, it automatically approves 
the request and sends the certificate back. In the automatic mode, the transaction consists of 
one PKCS Req PKI Message from the Concentrator, and one Cert Rep PKI message to the 
Concentrator. 


m= Manual approval process—The CA requires the end Concentrator to wait until the CA 
administrator can manually authenticate the identity of the requesting end entity. In the 
manual mode, the Concentrator enters into polling mode by periodically sending 
GetCertInitial PKI message to the CA, until the CA administrator completes the manual 
authentication. After this, the CA will respond to GetCertInitial by returning the issued 
certificate. 
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Identity Certificate Enrollment 


ee Cisco.com 


Refresh® 


This section lets you view and manage certificates on the VPN 3000 Concentrator, 


¢ Click here to enroll with a Certificate Authority 
e Click here to install a certificate 


Certificate Authorities [View All CRL Caches | Clear All CRL Caches ] (current: 3, maximum: 6) 


Subject Issuer Expiration |SCEP Issuer | Actions 
AUSTIN at TRAINING |AUSTIN at TRAINING 07/29/2005 Yes [riew Configure | Delete | SCEP | Show RAs 
Identity Certificates (current: 0, maximum: 2) 

Subject Issuer Expiration 
(No Identity Certificates 


Actions 


SSL Certificate [Generate ] Note: The public key in the SSL certificate is also used for the SSH host key. 
Subject Issuer Expiration Actions 
10.0.1.5 at Cisco Systems, Inc 10,0.1.5 at Cisco Systems, Inc. 05/19/2006 


\Wiew | Renew | Delete 


Enrollment Status [Remove All: Exrored | Timed-Out | Rejected | Cancelled | In-Progress ] (current: 0 available: 3) 


Subject Issuer Date | Use | Reason Method Status | Actions 
{No Enrollment Requests 


2003, Cisco Systems, Inc. All rights reserved. 
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The first step of the process is to install a root certificate in the Concentrator via SCEP. In the 
example in the figure, the root certificate was issued via SCEP and installed on the 
Concentrator. The next step of the process is to install an identity certificate via SCEP. In the 
example in the figure, notice there is no identity certificate installed. 
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Step 1 


Step 2 


Step 3 


Step 4 


Identity Certificate Installation 


ay | Cisco.com 


we VPM 2000 Cer etre. 


certificate 
[Satie = 
[RUST Vw iain [AUS Tae waIR VG neem 


Select the enrollment method for the identity certificate. To install « certificate with SCEP, the issuing CA's certificate must also be installed with SCEP. Click 
here to install anew C ng SCEP before enrolling, 


‘ml 4 certificate request has been generated 


'SCEP Status: Installed 
cate Management 


tte Enrollment 
ertificate Installation 
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There are four steps to generate an identity certificate via SCEP: 


Click the Click here to enroll with a Certificate Authority link in the Administration> 
Certificate Management window. 


Click the Identity certificate link in the Administration>Certificate Management>Enroll 
window. 


Click the Enroll via SCEP at XXX at XXX link (where XXX is the name of the SCEP issuing 
the CA) in the Administration>Certificate Management>Enroll>Identity Certificate window. 


In the Administration>Certificate Management>Enroll>Identity Certificate>SCEP window, fill 


out the PKCS#10 enrollment form and click Enroll. There is further discussion of the 
PKCS#10 form later in this lesson. 


If the SCEP enrollment was successful, the Concentrator returns a SCEP status installed 
message. 
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Identity Enrollment Form 
ee Cisco.com 


Enter the information to be included in the certificate request. Please wait for the operation to finish. 


Conumon Name (CN) student! 


> Organizational Unit (OW) firsining ——SSS*~*~*~*~S«S ter the department 
Organization(0) [Cisco ===—S*~*~*~*~CS~S«Szter the Organization oF company, 
Lecality(L) [Austin —~—~—~—~—~—~S~S*S~SCS:CEnter the city or towns 
State/Province (SP)[Texas—=*=*~<C*~S*~S*«*Sinter the State or Province 


Country (C) [US| Enter the two-letter country abbreviation (e.g. United States = US) 


Enter the Fully Qualified Domain Name for the VPN 3000 Concentrator to be 
used in this PKI. 


Subject Aliernative Name (E-Mail I Enter the E-Mail Address for the VPN 3000 Concentrator to be used in this 
Address) PKL. 


Challenge Password | 


Verify Challenge Password 


Key Size [RSA512 bits > Select the key size for the generated RSA key pair. 


Cancel 


Enter the common name for the VPN 3000 Concentrator to be used in this 
PKI. 


Subject AlternativeName (FQDN) | 


Enter and verify the challenge password for this certificate request. 
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Part of the enrollment process is to fill out an enrollment request form. The following are the 
enrollment request fields: 


= Common Name (CN) field—The primary identity of the entity associated with the 
certificate. 


m Organizational Unit (OU) field—The name of the department or other organizational unit. 
It must match the group name configured in the destination Concentrator. 


m Organization (O) field—The name of the company or organization. 
= Locality (L) field—tThe city or town where this Concentrator is located. 
m State/Province (S/P) field—The state or province where this Concentrator is located. 


= Country (C) field—The country where this Concentrator is located (for example, US). Use 
two characters, no spaces, and no periods. 


m Subject Alternative Name (FQDN) field—The fully qualified domain name that identifies 
this Concentrator in this PKI (for example, vpn3030.cisco.com). This field is optional. The 
alternative name is an additional data field in the certificate that provides interoperability 
with many Cisco IOS and PIX Firewall systems in LAN-to-LAN connections. 


m Subject Alternative Name (E-Mail Address) field—The e-mail address of the Concentrator 
administrator. 
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m Challenge Password field—This field appears if you are requesting a certificate using 
SCEP. Use this field according to the policy of your CA: 


— Your CA might have given you a password. If so, enter it here in order to be 
authenticated. 


— Your CA might allow you to provide your own password to use to identify yourself to 
the CA in the future. If so, create your password here. 


— Your CA might not require a password. If so, leave this field blank. Verify Challenge 
Password field—Re-enter the challenge password. 


m Key Size drop-down menu—The algorithm for generating the public and private key pair 
and the key size. The following options are available: 


— RSA 512 bits—Generates 512-bit key using the RSA (Rivest, Shamir, Adelman) 
algorithm. This key size provides sufficient security and is the default selection. It is 
most common, and requires the least processing. 


— RSA 768 bits—Generates 768-bit key using the RSA algorithm. This key size provides 
normal security. It requires approximately 2 to 4 times more processing than the 512- 
bit key. 


— RSA 1024 bits—Generates 1024-bit key using the RSA algorithm. This key size 


provides high security. It requires approximately 4 to 8 times more processing than the 
512-bit key. 
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Identity Certificate Installed 
a Cisco.com 


Refresh@ 
This section lets you view and manage certificates on the VPN 3000 Concentrator. 


e Click here to enroll with a Certificate Authority 
e Click here to install a certificate 


Certificate Authorities [View All CRL Caches | Clear All CRL Caches ] (current: 3, maxirnum: 6) 
| Subject Issuer | Expiration |SCEP Issuer Actions 
[AUSTIN at TRAINING [AUSTIN at TRAINING |07/29/2005| Yes View | Configure | Delete | SCEP | Show RAs 


identity Certificates (current: 1, maximum: 2) 


| Subject | Issuer | Expiration | Actions 
|student1 at Cisco |AUSTIN at TRAINING 07/29/2004 i 


View | Renew | Delete 


SSL Certificate [Generate ] Note: The public key in the SSL certificate is also used for the SSH host key. 
| Subject | Issuer Expiration | Actions 
{10.0.1.5 at Cisco Systems, Inc {10.0.1.5 at Cisco Systems, Inc 05/19/2006 —_|view| Renew Delete 


Enrollment Status [Remove All: Errored | Timed-Out | Rejected | Cancelled | In-Progress ] (current: 0 available: 2) 
| Subject | Issuer Date Use Reason | Method | Status Actions 
[No Enrollment Requests 
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After you fill out the enrollment request form and click enroll, an identity certificate is loaded 
on the Concentrator. Choose the Administration>Certificate Management window to view 
the identity certificate. The identity certificate entry columns are as follows: 


m Subject—A combination of the Common Name (CN) or Organizational Unit (OU), if 
present, and the Organization (O) in the Subject column of the certificate. 


m= Issuer—A combination of both the Common Name (CN) or Organizational Unit (OU), if 
present, and the Organization (O) in the Issuer column of the certificate. 


m = Expiration—The expiration date of the certificate. 


m Actions—This column enables you to manage particular certificates. The actions available 
vary by the type and status of the certificate: 


— View—View this certificate. 


— Renew—A shortcut that enables you to generate an enrollment request based on the 
content of an existing certificate. 


— Delete—Delete this certificate from the Concentrator. 
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View the Identity Certificate 
MMMM ~~SS*S*é«SCO.com 


Subject —— Issuer 
CN=student1 CN=AUSTIN 
OU=training QU=VSEC 
O=Cisco O=TRAINING 
L=Austin L=AUSTIN 
SP=Texas SP=TX 

C=US C=US 


——— Serial Number 03F42112000400000062 
Signing Algorithm SHA1WithRSA 
Public Key Type RSA (512 bits) 
MDS Thumbprint FB: 90: 6£:83:95:11:09:65:C1:87:8B:0B:74: 68:E9:0F 
SHA] Thumbprint 61:00:73: BD:3F:42:3A:DC:CE:45:47:54:F4:0A:72:3F :D1:6E:FF:67 
—— Validity 7/29/2003 at 12:09:51 to 7/29/2004 at 12:19:51 
CRL Distribution Point http://austin/CertEnroll/AUSTIN(9). crl 


You can view the identity certificate from the Administration>Certificate Management> 
Certificates>View window. The identity certificate contains the following information: 


= Issuer—The CA that issued the certificate. 
m Subject—File name of the identity certificate. 
m Serial Number—lIdentifies the certificate. 


m Signing Algorithm—tThe cryptographic algorithm that the CA or other issuer used to sign 
this certificate. 


m Public Key Type—The algorithm and size of the certified public key. 

= = Thumbprint—A hash of the complete certificate contents. This value is unique for every 
certificate, and it positively identifies the certificate. If you question the authenticity of a 
root certificate, you can check this value with the issuer. 

m Validity Period—Just like credit cards, certificates are valid from the date of issue to the 
date of expiration. In the example in the figure, the certificate is valid from 2/25/00 to 


2/25/01. 


= CRL Distribution Point—All CRL distribution points from the issuer of this certificate. 
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Enrollment Status 
a Cisco.com 


This section lets you view and manage certificates on the VPN 3000 Concentrator. 


© Click here to enroll with a Certificate Authoritr 
© Click here to install a certificate 


Certificate Authorities i[ View All CRL Caches | Clear All CRL Caches ] (current: 3, maximum: 6) 
[ Subject Issuer Expiration | SCEP Issuer Actions 
|AUSTIN at TRAINING AUSTIN at TRAINING (02/23/2003 Yes [ View | Configure | Delete | Show RAs] 


Identity Certificates (current: 1, maximum: 20) 
{ Subject Issuer Expiration Actions 
[studentl at Cisco AUSTIN at TRAINING 02/21/2003 [ Wiew | Renew | Delete ] 


SSL Certificate [Generate] Note: The public key in the SSL certificate is also used for the SSH host key 


[ Subject [ Issuer | Expiration ‘Actions 
{200.200.200.1 at Cisco Systems, Inc {200.200.200.1 at Cisco Systems, Inc. |osv2q72004 [View | Renew | Delete] 


Enrollment Status [ Remove All: Enored | Tirmed-Out | Rejected | Cancelled | In-Progress ] (current: 1 available: 19) 
[ Subject Issuer Date | Use | Reason | Method | Status ‘Actions 
{student at Cisco AUSTIN at TRAINING 0224/2002 [ID |[Re-ensoll —[SCEP Rejected —_[[ Viow| Reaubmait | Deloto] 


2003, Cisco Systems, Inc. All rights reserved. CSVPN 4.0—17-21 


The enrollment status table tracks the status of active enrollment requests. The different parts of 
the enrollment status table are as follows: 


m Subject column—A combination of the Common Name (CN) or Organizational Unit (OU), 
if present, and the Organization (O) in the Subject column of the certificate. 


m= Issuer column—A combination of the Common Name (CN) or Organizational Unit (OU), if 
present, and the Organization (O) in the Subject column of the certificate. 


m Date column—Date the enrollment request was issued. 

m Use column—lIdentity or SSL. 

m Reason column—Initial, re-enrollment, or re-key. 

m= Method column—SCEP or manual. 

m Status column—Shows the status of the recent enrollment requests. 


— Errored link—An internal error occurred during the enrollment process; therefore, 
enrollment was stopped. 


— Timed Out link—The SCEP polling cycle has ended after reaching the configured 


maximum number of retries. This value is used only for enrollment requests created 
using SCEP. 
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— Rejected link—The CA refused to issue the certificate. This value is used only for 
enrollment requests created using SCEP. 


— Cancelled link—The certificate request was cancelled while the Concentrator was in 
polling mode. 


m In-Progress link—The request has been created, but the requested certificate has not yet 
been installed. This value is used only for PKCS#10 (manual) enrollment requests. 


= Actions column—Enables you to manage enrollments requests: 
— View link—View details of this enrollment request. 


— Resubmit link—Reinitiate SCEP communications with the CA or RA using the 
previously entered request information. 


— Delete link—Delete an enrollment request from the Concentrator. 
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Certificate Renewal 
il Cisco.com 


This section allows you to re-enroll or re-key a certificate, so that the VPN 3000 Concentrator updates its certificate. The certificate request can be sent to a 
CA, which in turn, sends back a certificate. Please wait for the operation to finish. 


Certificate SSL Certificate 


Renewal Type © Re-enroliment Select the type of renewal. A re-enrollment uses the same key for the certificate. A re-key 
© Re-key generates a new key for the certificate 


Enrollment Method [ AUSTIN at TRAINING via SCEP | Select the renewal method for this certificate 
Challenge Password 

Verify Challenge -—— 
Password 


Enter and verify the challenge password for this certificate request, 


care 
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SCEP does not provide for an automatic certificate renewal process. Approximately one month 
before a certificate expires, the Concentrator alerts you with an event message. It is up to you to 
renew the certificate. Certificate renewal is a shortcut that enables you to generate an 
enrollment request based on the content of an existing certificate. When you renew a certificate 
via SCEP, the new certificate does not automatically overwrite the original certificate. It 
remains in the Enrollment Request table until the administrator manually activates it. The 
different parts of the Renewal window are as follows: 
™ Certificate field—Displays the type of certificate that you are re-enrolling or re-keying. 
m Renewal Type radio buttons—Specifies the type of request: 

— Re-enrollment radio button—Use the same key pair as the expiring certificate. 

— Re-key radio button—Use a new key pair as the expiring certificate. 
m Enrollment Method drop-down menu—Choose an enrollment method: 

— PKCS10 Request (Manual)—Enroll using the manual process. 


— [certificate name] via SCEP—Enroll automatically using this SCEP CA. 


m Challenge Password field—Your CA might have given you a password as a means of 
verifying your identity. If you have a password from your CA, enter it here. 


m Verify Challenge Password field—Enter the challenge password here. 
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Configuring Certificate Authority 
eee | Cisco.com 


Certificate Authorities [ View AllCRL Caches | Clear All CRL Caches ] (current: 3, maximum: 6) 


Subject Issuer Expiration SCEP Issuer Actions 
AUSTIN at TRAINING |AUSTIN at TRAINING 07/29/2005 Yes WWiew | Configure | Delete | SCEP | Show RAs 


CRL 


retrieval policy 


CRL 
caching 


CRL 
distribution 


There are three sections to the Administration>Certificate Management>Configure CA 
Certificate window: CRL retrieval policy, CRL caching, and CRL-distribution points 
(CRL-DPs). Enabling CRL checking means that every time the Concentrator uses the 
certificate for authentication, it also checks the latest CRL to ensure that the certificate has not 
been revoked. CRL retrieval policy defines where to find the CRL-DP location. The choices are 
as follows: on a CA certificate, statically defined on the Concentrator, a combination of both, or 
disable CRL checking. 


The next section is CRL caching. Since the Concentrator has to fetch and examine the CRL 
from a network-based DP, CRL checking might slow system response times or cause the tunnel 
to fail due to Internet Key Exchange (IKE) timeout issues. Enable CRL caching to mitigate 
these potential problems. CRL caching stores the retrieved CRLs in local volatile memory. This 
enables the Concentrator to verify the revocation status of certificates more quickly. 


The last section is configuring the location of CRL-DPs. CAs provide CRLs through network- 
based DPs, or CRL-DPs. Many certificates include the location of theses CRL-DPs. If the 
CRL-DP is present in the certificate and in the proper format, you need not configure any CRL- 
DP fields in this window. If a CRL-DP is not present or you choose to define additional CRL- 
DPs, define the CRL-DP addresses in the Static CRL-DP window. 
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Concentrator SCEP Configuration 
a Cisco.com 


Certificate AUSTIN at TRAINING 


Enrollment URL [attp://172.26.26.51/certsrv/mscep/mscep. Enter the URL for enrollment. 


Polling Interval |1 Enter the polling interval in minutes. 


Enter the maximum number of polling attempts to reach the 
Polling Limit [none SCEP PKI Enter "none" to set no limit on the number of 


attempts. 
Apply Cancel 
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To configure or modify the SCEP parameters, choose the Administration>Certificate 
Management window and select SCEP under the Certificate Authorities actions column. The 
Administration>Certificate Management>Configure SCEP window opens. The administrator 
can set the SCEP polling parameters or modify the SCEP URL information from the 
Administration>Certificate Management>Configure SCEP window. 


If the CA does not issue the certificate immediately (some CAs require manual verification of 
credentials and this can take time), the certificate request could enter pending mode. In pending 
mode, the Concentrator polls the CA a specified number of times at regular intervals until the 
CA responds or the process times out. The following options govern the polling application: 


m Enrollment URL field—Enter the URL where the Concentrator should send SCEP 
enrollment requests. The default value of this field is the URL used to download this CA 
certificate. 


m Polling Interval field—If the CA does not issue the certificate immediately, the certificate 
request could enter polling mode. Enter the number of minutes the Concentrator should 
wait between re-sends. The minimum number of minutes is 1; the maximum number of 
minutes is 60, and the default value is 1. 


m@ Polling Limit field—Enter the number of times the Concentrator should re-send an 
enrollment request if the CA does not issue the certificate immediately. The minimum 
number of re-sends is 0; the maximum number is 100. If you do not want any polling limit 
(in other words you want infinite re-sends), enter none. 
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Activate the IKE Proposal 
aaa Cisco.com 


Add, delete, prioritize, and configure IKE Proposals 


Select an Inactive Proposal and click Activate to make it Active, or click Modify, Copy or Delete as appropriate 
Select an Active Proposal and click Deactivate to make it Inactive, or click Move Up or Move Down to change its priority. 
Click Add or Copy to add a new Inactive Proposal. IKE Proposals are used by Security Associations to specify IKE parameters 


Active Inactive 
Proposals Actions Proposals 


CiscoVPNClient3DES-MD5 CERT IKE-3DES-SHA-DSA 
CiscoVPNClient-3DES-MD5-RSA __ «Activate _| IKE-3DES-MD5-RSA-DH1 
IKE-3DES-MD5 , IKE-DES-MD5-DH? 
IKE-3DES-MD5-DHI _Deactvate>> | CiscoVPNClient3DES-SHA-DSA 
IKE-DES-MD5 Move Up CiscoVPNClient-3DES-MD5-RSA-DH5 
IKE-3DES-MD5-DH? CiscoVPNClient 3DES-SHA-DSA-DH5 


IKE-3DES-MD5-RSA Move Down CiscoVPNClientAES256-SHA 


CiscoVPNClient-3DES-MD5-DH5 IKE-AES256-SHA, 
CiscoVPNClientAES128-SHA Add 


IKE-AES128-SHA Modify 
Copy 
Delete 
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You must check the following three items before the LAN-to-LAN with digital certificates 
tunnel can be configured: 


= Active Internet Key Exchange (IKE) proposal list 
m IKE proposal 


m Security Association (SA) 


Check the Active Proposals list. By default, an RSA proposal should be present. The 
Concentrator requires the use of a RSA IKE proposal for LAN-to-LAN with digital certificates 
to work. 
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IKE Proposal 


es Cisco.com 


Modify a configured IKE Proposal. 


Proposal Name |IKE-3DES-MD5-RSA 


Specify the name of this IKE Proposal. 


Authentication Mode | RSA Digital Certificate 


Authentication Algorithm | MD5/HMAC-128 ¥ 
Encryption Algorithm | 3DES-168 ¥ 
Diffie-Hellman Group | Group 2 (1024-bits)_¥ 


Lifetime Measurement | Time + 
Data Lifetime |10000 
Time Lifetime |86400 


Apply Cancel 
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7] Select the authentication mode to use 

Select the packet authentication algorithm to use. 
Select the encryption algorithm to use 

Select the Diffie Hellman Group to use 

Select the lifetime measurement of the IKE keys 
Specify the data lifetime in kilobytes (KB) 
Specify the time lifetime in seconds 
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Check the activated RSA Internet Key Exchange (IKE) proposal to ensure that it meets the 


authentication, encryption, Diffie-Hellman (DH), and lifetime requirements. In the example in 


the figure, the RSA IKE proposal supports the following: 


m Authentication mode—RSA digital certificates 


m Authentication algorithm—Message Digest 5 (MD5) 


m Encryption algorithm—Triple-Data Encryption Standard (3DES) 


m= DH group—DH group 2 


m Key length and lifetime—Time and 86400 seconds 


Configure the Cisco VPN 3000 Series Concentrator for LAN-to-LAN Using Digital Certificates 17-27 


Add RSA SA 


Save) 


This section lets you add, configure, modify, and delete IPSec Security Associations (SAs). Security Associations use IKE 
Proposals to negotiate IKE parameters. 


Click Add to add an SA, or select an SA and click Modify or Delete 


IPSec SAs Actions 
ESP-3DES-MD5 


ESP-3DES-MD5-DH? Add 


Modify 
ESP-L2TP-TRANSPORT Delete 
ESP/IKE-3DES-MD5 [psi | 


L2L: pod 
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Select the Security Association (SA). The SA is a template that defines IPSec and IKE 
attributes. There are two choices: modify an existing SA or add a new one. If you modify an 
existing SA, you change it from pre-shared keys (the default) to Rivest, Shamir, and Adelman 
(RSA)-signed digital certificates. By changing it, you may enable the LAN-to-LAN with digital 
certificates tunnels, but disable the use of pre-shared keys for someone else. The best option is 
to add an SA. Click Add to do this. 
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Configure RSA SA 


aa Cisco.com 


Configure and add a new Security Association 


SA Name 


Inheritance 


IRSA 3DES MD5 


From Rule | 


Specify the name of this Security Association (SA) 
Select the granularity of this SA. 


IPSec Parameters 
Authentication Algorithm 
Encryption Algorithm 
Encapsulation Mode 
Perfect Forward Secrecy 
Lifetime Measurement 
Data Lifetime 

Time Lifetime 


ESP/MD5/HMAC-128 ¥ 


3DES-168 ¥} 


Tunnel >| 


Disabled 


Time | 


10000 
28800 


Select the packet authentication algorithm to use. 
Select the ESP packet encryption algorithm to use. 
Select the Encapsulation Mode for this SA. 

Select the use of Perfect Forward Secrecy. 

Select the lifetime measurement of the IPSec keys. 
Specify the data lifetime in kilobytes (KB) 


Specify the time lifetime in seconds 


IKE Parameters 
IKE Peer 

Negotiation Mode 

> Digital Certificate 


Certificate Transmission 
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0.000 


Main 


studentikc 


© Entire certificate chain 
© Identity certificate only 


Specify the IKE Peer for a LAN-to-LAN connection. 
Select the IKE Negotiation mode to use. 


| Select the Digital Certificate to use. 


Choose how to send the digital certificate to the IKE peer. 


IKE-3DES-MD5-RSA =} Select the IKE Proposal to use as IKE initiator. 


The Configuration>Policy Management>Traffic Management>Security Associations window 


has two sections: IPSec Parameters and IKE Parameters. In the IPSec parameter section, verify 


the authentication, encryption, DH, and lifetime parameters. In the example in the figure, the 


IPSec proposal supports the following: 


Authentication algorithm—MD5 


Encryption algorithm—3DES 


Encapsulation mode—Tunnel 


Diffie-Hellman group—DH group 2 


Key length and lifetime—Time and 86400 seconds 


In the IKE parameter section, choose which IKE parameters are to be applied to this Security 
Association (SA). Complete the following to do this: 


Step 1 Choose IKE-3DES-MD5-RSA from the IKE proposal drop-down menu. 


Step 2 Choose the correct certificate from the Digital Certificate drop-down menu. In the example in 


the figure, the student! certificate was chosen. This certificate is used during the certificate 


exchange. 


Step 3 Click Add. 
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Add IPSec LAN-to-LAN 


Cisco.com 
IPSec 


a—~ = 
f 


é Internet 


— 


» 


Saveleyl 


[This section lets you configure IPSec LAN-to-LAN connections. LAN-to-LAN connections are established with other 
IVDN 3000 Concentrators, PIX firewalls, 7100/4000 series routers and 'See-complient scousity gateways. To 
configure a VPN 3002 or other remote access connection, go to User} nent and configure a Group and User. To 
configure NAT over LAN-to-LAN, go to LAN 


li you want to define a set of networks on the local or remote side of the LAN-to-LAN connection, configure the neces 
Network Lists prior to creating the connection. 


Click the Add button to add a LAN-to-LAN connection, or select a connection and click Modify or Delete. 


ID) indicates a disabled LAN-to-LAN connection 


LAN-to-LAN 
Connection Actions 


Add 
Mody 


Delete 
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The Concentrator provides a wizard for LAN-to-LAN connections. It is found in the 
Configuration>System>Tunneling Protocols>IPSec LAN-to-LAN window. Click Add to 
access the wizard. 
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Boston IPSec LAN-to-LAN 


a Cisco.com 


Boston 
10.0.1.0 
255.255.255.0 


Chccao the ty: of LAN-to-LAN connectice. An Crighsate-Onlp connecrioa may aave multiple poets 
seecBedbelow 


eter the emote pear Ib aditesses“orttus LA-toLAN 
cpesdy up to ten peer P addeecoee Enter one IP escraee 


‘Select the digiel acficate to wes 


Checes howto exastan dighal curtiieats to 


NAT. 
Yeu mus: siso erable 
Cheeae the Fancheith 


192.168.6.5 


a slrenh udibeve Halve aT? wdbess nd wiki sf Hie LANL LAM 


Note: Buer's wildcard mask, which s the reverse ofa stbmet mask. A wildcard nasichas Ie a tit 
postions fe yor, Lembe soxtione to match #3 ezemple,:U.LUd UNlJU%33 = a1 IU, L.nnn adeesses 


Houston 
10.0.6.0 
255.255.255.0 
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The LAN-to-LAN wizard is divided into three sections. The top section provides Concentrator- 


to-Concentrator parameters. The middle section defines attributes at the local private network, 


while the bottom section deals with the remote private network. 


In the top section, there are four parameters that must be defined: 


m= Name field—Enter a unique descriptive name for this connection. 


m Peer field—Enter the IP address of the remote peer in the LAN-to-LAN connection. This 
must be the IP address of the public interface on the peer VPN Concentrator. 


m Digital Certificate drop-down menu—Click the drop-down menu button and choose from a 


list of installed digital certificates. 


m IKE Proposal drop-down menu—Specifies the set of attributes for Phase 1 IPSec 


negotiations, which are known as IKE proposals. You already activated the digital 


certificate IKE proposals before configuring LAN-to-LAN connections. Click the drop- 
down menu button and choose the IKE-3DES-MD5-RSA proposal. The list shows only 


active IKE proposals. 


The middle and bottom sections define the addresses of the local and remote private networks. 


The term defined refers to the network address on the private interface of the Concentrator, not 
the host address. The local IP address is 10.0.1.0. Next is the wildcard mask, which is the 
opposite of a subnet mask (for example, the wildcard mask for 255.255.255.0 is 0.0.0.255). 
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IPSec LAN-to-LAN Is Finished 


ae ey | Cisco.com 


Boston 
10.0.1.0 


IPSec 


\ Houston 


e Internet 10.0.6.0 


255.255.255.0 192.168.1.5 = — 192.168.6.5 255.255.255.0 


Save Neededfy 
An IPSec LAN-to-LAN connection has been successfully configured. The following have been added to your configuration: 


Authentication Server Internal 
Group 192.168.6.5 
Security Association L2L: boston 
L2L: boston Out 


Filter Rules 157’ postonin 


Modifying any of these items will affect the LAN-to-LAN configuration. The Group is the same as your LAN-to-LAN peer. 
The Security Association and Filter Rules all start with "L2L:" to indicate that they form a LAN-to-LAN configuration. 


OK 
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The window in the figure is a synopsis of the tunnel attributes defined by the wizard to include 


group, SA, and filter parameters. For more in-depth information, go to each record individually. 


Where appropriate, the parameters can be edited. 


Cisco Secure Virtual Private Networks 4.7 Copyright © 2005, Cisco Systems, Inc. 


IPSec LAN-to-LAN Connection 


Boston 
10.0.1.0 
255.255.255.0 


When finished, the new tunnel is defined as Boston (192.168.6.5) on Ethernet 2 (Public). 


IPSec 
- N 2 


. Internet 


— 


192.168.1.5 192.168.6.5 = 


Save Needed 


[This section lets you configure IPSec LAN-to-LAN connections. LAN-to-LAN connections are established with other 
VPN 3000 Concentrators, PIX Grewalls, 7100/4000 series routers and other IPSev-vompliant security gateways. To 
configure a VPN 3002 or other remote access connection, go to User Management and configure a Group and User. To 
configure NAT over LAN-to-LAN, go to LAN-to-LAN NAT Rules 


He you want to define a set of networks on the local or remote side of the LAN-to-LAN connection, configure the necessary] 
Ietwork Lists prior to creating the connection. 


Click the Add button to add a LAN-to-LAN connection, or select a connection and click Modify or Delete. 
|(D) indicates a disabled LAN-to-LAN connection, 
LAN-to-LAN, 


Connection Actions 
5) on Ethernet 2 (Public 


Cisco.com 


Houston 
10.0.6.0 
255.255.255.0 


CSVPN 4.0—17-32 


Boston is the name of the tunnel. 192.168.6.5 is the public interface of the remote Concentrator. 
Ethernet 2 (Public) is the local termination point of the tunnel. 


There are two ends to every tunnel. The local end was defined earlier. The remote end needs to 


be defined. At the remote end, click Add and define the remote end LAN-to-LAN wizard. 
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Summary 


This topic summarizes the tasks you learned to complete in this lesson. 


Summary 
Ra MMMM ~S!S*é«SCO.com 
* SCEP certificate generation is a two-step process: 


—CA certificate requests are sent to and CA 
certificates are received from the CA. 


—Identity certificate requests are sent to and 
identity certificates are received from the CA. 


* CA and identity certificates are validated before 
being loaded on a Concentrator. 


° For CA support you configure the Concentrator 
much the same as you would for pre-shared keys, 
substituting the digital certificates when necessary. 


* Add, verify, and delete certificates in the 
Administration-Certificate Management window. 
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Lab Exercise—Configure Cisco VPN 3000 Series 
Concentrators for LAN-to-LAN Using Digital 
Certificates 


Complete the following lab exercise to practice what you learned in this lesson. 


Objectives 


Your task in this lab exercise is to configure one end of a LAN-to-LAN Virtual Private Network 
(VPN) while another team completes the same tasks at a remote site. Work with your lab partner 
to complete the following tasks on your side of the LAN-to-LAN VPN: 

= Complete the lab exercise setup. 

m Delete the Cisco VPN 3000 Series Concentrator pre-existing PKCS#10 requests. 

m Delete the Cisco VPN 3000 Series Concentrator pre-existing identity and root certificates. 

m™ Generate a new root certificate via SCEP. 

m Generate a new identity certificate via SCEP. 

m Verify the Cisco VPN 3000 Series Concentrator IKE proposal. 

m Modify the Cisco VPN 3000 Series Concentrator SAs. 

m Verify the Cisco VPN 3000 Series Concentrator IPSec LAN-to-LAN parameters. 


m= Drop the IPSec LAN-to-LAN tunnel. 


= Monitor Cisco VPN 3000 Series Concentrator events. 
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Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


Pods 1-5 YP ; Pods 6-10 


192.168.P.0 RBB 192.168.0.0 


f] Concentrator € 
Concentrator [E 


10.0.P.15 10.0.Q.15 


Student PC Student PC 


Scenario 


Your company wants you to implement a VPN between the world headquarters campus site and 
the remote sales offices. You must configure the Cisco VPN 3000 Series Concentrators for 
LAN-to-LAN tunneling using digital certificates for authentication. 


Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify your equipment is setup as follows: 
m Ensure that your student PC is powered on. 
m Ensure your student PC IP addresses are configured correctly: 


— Primary IP address—10.0.P.15 
(where P = pod number) 


— Default gateway IP address—10.0.P.5 
(where P = pod number) 


m= Ensure that your Concentrator is powered on. 
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Task 2—Delete the Cisco VPN 3000 Series Concentrator Pre-Existing 
PKCS#10 Requests 


Step 1 
Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Complete the following steps to ensure that all previous certificate requests are removed from 
the Concentrator: 


Launch Internet Explorer by double-clicking the desktop icon. 


Enter a Concentrator private interface IP address of 10.0.P.5 in the Internet Explorer Address 
field (where P = pod number). Internet Explorer connects to the Cisco VPN 3000 Concentrator 
Series Manager. 


Log into the Cisco VPN 3000 Concentrator Series Manager using the administrator account: 


Login: admin 


Password: admin 
The username (login) and password are always case sensitive. 


From the Administration menu tree, drill down to File Management. 


Locate any existing PKCSN.TXT files and click Delete. Click OK, in the Are you sure you want 
to delete PKCSN.TXT message box. 


(where N = any number) 


Do not log out of the Concentrator. 


Warning Delete only those files named PKCSN.TXT (where N = any number string). Deleting any other 
listed files may result in unpredictable operation of the Concentrator. 


Task 3—Delete the Cisco VPN 3000 Series Concentrator Pre-Existing 
Identity and Root Certificates 


Step 1 
Step 2 


Step 3 
Step 4 


Complete the following steps to ensure that all previous certificates are removed from the 
Concentrator: 


From the Administration menu tree, drill down to Certificate Management. 


Under the Identity Certificates section, locate any existing identity certificates. Complete the 
following sub-steps to delete any existing identity certificate: 


1. Click Delete under the Identity Certificates actions column. 
2. Click Yes when you are asked if you are sure you want to delete this certificate. 


Locate any existing root certificate under the Certificate Authorities section. 
Complete the following sub-steps to delete any existing root certificates: 


1. Click Delete under the Certificate Authorities actions column. 


2. Click Yes when you are asked if you are sure you want to delete this certificate. 
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Task 4—Generate a New Root Certificate via SCEP 


Complete the following steps to create a new root certificate using Simple Certificate Enrollment 
Protocol (SCEP): 


Step1 From the Administration menu tree, drill down to Certificate Management. The 
Administration>Certificate Management window opens. 


Step 2 Select Click here to install a CA certificate. The Administration>Certificate Management> 
Install>CA Certificate window opens. 


Step 3 Select SCEP (Simple Certificate Enrollment Protocol). The Administration>Certificate 
Management>Install>CA Certificate>SCEP window opens. 


Step 4 Enter the CA information in the URL field as follows: 
http://172.26.26.51/certsrv/mscep/mscep.dll 


Step 5 Enter 99 in the CA Descriptor field. 


Step 6 Click Retrieve. It may take several moments for the certificate to be retrieved. The 
Administration>Certificate Management window opens. The new root certificate should be 
present and the value in the SCEP Issuer field should be Yes. 


Step 7 Choose the Certificate Authorities section and click View. 


Step 8 Answer the following questions under the Actions column: 


Ql) — Under Subject, what is CN? 


A) 
Q2) — Under Issuer, what is CN? 


A) 


Q3) What is the signing algorithm? 


A) 
Q4) — What is the public key type? 


A) 
Q5) What is the validity period? 


A) From 
B) To 


Step9 Click Back. 


Task 5—Generate a New Identity Certificate via SCEP 


Complete the following steps to create a new identity certificate using SCEP: 


Step1 From the Administration menu tree, drill down to Certificate Management. The 
Administration>Certificate Management window opens. 
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Step 2 


Step 3 


Step 4 


Step 5 


Step 6 
Step 7 


Step 8 


Select Click here to enroll with a Certificate Authority. The Administration> Certificate 


Management>Enroll window opens. 


Select Identity certificate. The Administration>Certificate Management>Enroll> Identity 


Certificate window opens. 


Select Enroll via SCEP at XXXX (where XXXX = name of the CA authority). The 


Administration>Certificate Management>Enroll>Identity Certificate>SCEP window opens. 


Complete the following sub-steps to fill out the CA enrollment: 


1. Enter a common name: studentPX. 
(where P = pod number, and X = your first and last initials) 


2. Enter an organizational unit: training. (The Concentrator uses this as the group password. 


This parameter must match end-to-end.) 
3. Enter an organization: Cisco. 
4. Leave the rest of the empty fields blank. 


5. Choose a key size: RSA 512 bits. 


6. Click Enroll. It may take several moments for the SCEP enrollment to finish. When 


successfully completed, a SCEP status installed message opens. 


7. Click Go To Certificate Management. The Administration>Certificate Management 


window opens. 


Go to the Identity Certificates section and click View under the Actions column. 


Answer the following questions: 
Q6) Under Subject, what is CN? 


A) 


Q7) — Under Issuer, what is CN? 


A) 


Q8) What is the signing algorithm? 


A) 
Q9) What is the public key type? 


A) 
Q10) What is the validity period? 


A) From 
B) To 
Click Back. 
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Task 6—Verify the Cisco VPN 3000 Series Concentrator IKE Proposal 


Step 1 


Step 2 
Step 3 


Step 4 


Step 5 


Complete the following steps to verify an Internet Key Exchange (IKE) proposal is active: 


From the Configuration menu tree, drill down to System>Tunneling Protocols> IPSec>IKE 
Proposals. 


Verify the IKE-3DES-MDS5-RSA proposal in the Active Proposals list. 
Choose the IKE-3DES-MDS5-RSA proposal from the Active Proposals list. 
Select Modify and complete the following sub-steps: 

1. Verify that the Authentication Mode is set to RSA Digital Certificate. 
2. Verify that the Authentication Algorithm is set to MD5/HMAC-128. 
3. Verify that the Encryption Algorithm is set to 3DES-168. 

4. Verify that the Diffie-Hellman Group is set to Group2 (1024-bits). 


Click Cancel. 


Task 7—Modify the Cisco VPN 3000 Series Concentrator SAs 


Step 1 


Step 2 


Step 3 


Step 4 
Step 5 
Step 6 


Security Associations (SA) define the IKE and IPSec parameters that are negotiated when the 
IPSec LAN-to-LAN tunnel is established. Because you are migrating from a pre-shared key 
exchange to a digital certificate exchange, a digital certificate IKE template needs to be applied 
to the negotiation. Complete the following steps: 


From the Configuration menu tree, drill down to Policy Management>Traffic Management> 
SAs. 


Select the L2L:podP SA and click Modify. The Modify window opens. 
(where P = pod number) 

From the digital certificate drop-down menu, choose studentPX. 

(where P = pod number, and X = your first and last initials) 

From the IKE Proposal drop-down menu, choose IKE-3DES-MD5-RSA. 
Click Apply. 


Save the configuration changes. 


Task 8—Verify the Cisco VPN 3000 Series Concentrator IPSec LAN-to- 
LAN Parameters 


Step 1 


Step 2 


Complete the following steps to verify the IPSec LAN-to-LAN group parameters: 


From the Configuration menu tree, drill down to System>Tunneling Protocols> IPSec>LAN- 
to-LAN. 


Select podP. 


(where P = pod number) 
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Step 3. Click Modify. 
Step 4 Verify the digital certificate: studentPX. 


(where P = pod number, and X = your first and last initials) 


Step 5 Verify the IKE proposal: IKE-3DES-MDS5-RSA. 
Step 6 Click Apply. 


Step 7 Save the configuration changes. Wait for the remote end to reach this point before continuing. 


Task 9—Drop the IPSec LAN-to-LAN Tunnel 


Complete the following steps to disconnect the LAN-to-LAN tunnel session: 


Step 1 From the Administration menu tree, drill down to Administer Sessions. 
Step 2 Choose the LAN-to-LAN Sessions section. 
Step 3 Ifa LAN-to-LAN session exists, click Logout to disconnect the tunnel. 


Step 4 Wait a few seconds and click Refresh. The LAN-to-LAN tunnel should re-establish a 
connection. If it does not, ping your peer’s PC. 


Task 10—Monitor Cisco VPN 3000 Series Concentrator Events 


Complete the following steps to complete an in-depth examination of the IKE and Certificate 
(CERT) event messages: 


Step1 From the Configuration menu tree, drill down to System>Events>Classes. 

Step 2 Click Add. The Classes>Add window opens. 

Step 3 Enable logging for the IKEDECODE event class by completing the following sub-steps: 
1. Select a class name: IKEDECODE. 


2. Set the Events to Log: 1-13. 
3. Leave all other fields at their default values. 
4. Click Add. The Classes>Add window opens. 


Step 4 Enable logging for the CERT event class by completing the following sub-steps: 
1. Click Add. 


2. Select a class name: CERT. 
3. Set the Events to Log: 1-13. 
4. Leave all other fields at their default values. 


5. Click Add. The Classes>Add window opens. 


Step 5 From the Monitoring menu tree, drill down to Filterable Event Log. 
Step6 Click Clear Log. 


Step 7 From the Administration menu tree, drill down to Administer Sessions. 
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Step 8 Disconnect and re-establish the LAN-to-LAN tunnel to view the events generated by completing 
the following sub-steps: 


1. Choose the LAN-to-LAN Sessions section and select Logout. 


2. Wait afew seconds and click Refresh. The LAN-to-LAN tunnel should re-establish itself. If 
it does not, ping your peer’s PC. 


Step 9 From the Monitoring menu tree, drill down to Filterable Event Log and complete the following 
sub-steps: 


1. In the Event Class group box, scroll down and select IKEDECODE. 
2. While holding down the Ctrl key on your PC, select CERT. 

3. Inthe Events/Page combo window, select ALL. 

4. Click |<<. 


Step 10 Scroll through the event messages. 
Step 11. View the event shown and answer the following question: 


127 03/01/2000 09:41:23.510 SEV=8 IKEDECODE/0 RPT=305 
Phase 1 SA Attribute Decode for Transform # 1: 


Encryption Alg: Triple-DES (5) 

Hash Alg : MD5 (1) 

Group 7 Oakley Group 1 (1) 

Auth Method 7 RSA signature with Certificates (3) 
Life Time : 86400 seconds 


Q11) What is the authentication method for this IKE tunnel? 


A) 


Step 12 View the event shown and answer the following questions: 


DER ASN1 DN ID received, len 36 


Ooo0: $038510F s00C0603 S5040813 O865 6975 O81.0..,.0....ci8 
0010: 636F3111 300F06035 S5040813 08747261 col.0...0....tra 
OO20; 696ES696E 67311930 11060555 0409135908 ining1.0...0.... 
OO30: 73747564 656E7451 6265 Student lhe 


Q12) What is the company name? 


A) 


Q13) What is the organizational unit? 


A) 


Q14) The organizational unit name must match what name on the Concentrator? 


A) name 


Step 13 View the events shown and answer the following question: 
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235 03/01/2000 09:41:23.680 SEV=7 CERT/1 RPT=10 
Certificate is valid: session = 35 


Q15) Is the certificate valid? 


A) 


Step 14 Log out of the Concentrator. 


Step 15 Close Internet Explorer. 
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Using Cisco VPN 3000 
Concentrator v4.7 


Overview 


Organizations are increasingly expected to provide access to the corporate network to a diverse 
mix of users. Employees working at remote locations need secure access to the corporate 
network from any non-corporate or public owned system. There can also be situations when 
these users need access without having preinstalled VPN software, which is not a secure 
method. In addition, the users can require access from a system with simple configuration and 
Internet connectivity. Therefore, to extend secure access to this diverse mix of users, 
organizations need to provide secure connectivity from a Web browser. 


The Cisco VPN 3000 Concentrator running version 4.7 provides a robust VPN infrastructure 
and a unique remote-access architecture that supports remote-access application requirements 
of organizations. The Cisco SSL VPN Client and Cisco Secure Desktop features in Cisco VPN 
3000 Concentrator v4.7 deliver extensive application access, endpoint security, data integrity 
protection, infrastructure access, and network compliant validation controls. 


Module Objectives 
Upon completing this module, you will be able to perform the following tasks: 
m Install Cisco SSL VPN Client and configure Cisco VPN 3000 Series Concentrator v4.7 


m Install, enable, and configure the Cisco Secure Desktop 


NOTE: Cisco Secure Virtual Private Networks (CSVPN) v4.7 is an add-on, optional module, consisting of 2 
lessons. The CSVPN exam #642-511 will not be refreshed and this new content in v4.7 will not be in the 
CSVPN exam. 
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Lesson 1 | 


Using Cisco SSL VPN Client 


Overview 


This chapter describes the procedure to install Cisco SSL VPN Client, and how to configure 
Cisco VPN 3000 Series Concentrator v4.7. It includes the following topics: 


m Objectives 

m Cisco SSL VPN Client—An Overview 

m@ Installing Cisco SSL VPN Client 

= Configuring Cisco VPN 3000 Series Concentrator v4.7 
= Summary 


= Lab Exercise 


Objectives 


This section lists the chapter’s objectives. 


Objectives 


Upon completion of this course, you will be 
able to perform the following tasks: 


¢ Explain how Cisco SSL VPN Client works. 


* Identify the administrative requirements for 
installing Cisco SSL VPN Client. 


¢ Install Cisco SSL VPN Client. 


¢ Configure Cisco VPN 3000 Series Concentrator 
v4.7. 
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Cisco SSL VPN Client—An Overview 


This topic provides an overview of Cisco SSL VPN Client. 


Cisco SSL VPN Client—An Overview 


CSVPN v1.0—1 


Cisco SSL VPN Client is an application that is dynamically downloaded on a remote system 
when a user attempts to connect to the corporate network through Cisco VPN 3000 
Concentrator. Cisco SSL VPN Client provides secure access to the corporate network by 
establishing end-to-end, encrypted VPN tunnels. This enables a user to gain secure access to 
the corporate network without preinstalling any VPN client software on the remote system. 


Note Using Cisco SSL VPN Client, users gain network-layer connectivity to virtually any IP 
application on the corporate network. 
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The following table lists the features of Cisco SSL VPN Client. 


Features of Cisco SSL VPN Client 


Feature 


Description 


Universal Application Access 


Provides full client capabilities over SSL, including 
access to Cisco IP SoftPhone and voice over IP (VoIP) 
support, thus increasing remote-user productivity. 


Administration 


Ease of Download and a Dynamic download and multiple delivery methods 
Installation ensure seamless download and distribution with Java, 
Activex, or .exe. 
su Small download size ensures rapid delivery. 
= Noreboot required after installation. 
Increased Security m= Cisco SSL VPN Client can be removed at the end of a 
session or can be installed permanently. 
Zero-Touch Remote a Central site configuration provides integration, with no 


administration required on the remote client side. 
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Example: Cisco SSL VPN Client 


The figure shows how users access a corporate network by using Cisco SSL VPN Client. 


Connecting to Corporate Network 


\ 


Step 1. Users conne¢t to the corporate network via web browser. 


Step 4. Cisco SSL VPN Client software is installed after successful login. 


Step 5. User system obtains an IP address from the VPN 3000 Series Concentrator. 
192.168.1 .1 qm 


When a remotely placed user connects to the corporate network through a Web browser, a 
security certificate is displayed. The user then enters the login and password details. Cisco VPN 
3000 Concentrator validates the login and the Cisco SSL VPN Client software is automatically 
installed on the remote system. Finally, Cisco SSL VPN 3000 Concentrator assigns an IP 
address to the remote system. 


The remote system appears as a workstation within the corporate network and the traffic 


between Cisco VPN 3000 Concentrator and the remote system is encrypted through the SSL 
tunnel. 
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Installing Cisco SSL VPN Client 


This topic explains the administrative requirements and the procedure for installing Cisco SSL 
VPN Client. 


Installing Cisco SSL VPN Client 


WebVPN Login 


VPN 3000 


CONCENTRATOR SERIES MANAGER 


VPN 3000 Concentrator 
Login: 


Cisco Systems |] Password. 
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Before installing a Cisco SSL VPN Client on the VPN 3000 Concentrator, you need to ensure 
that the remote system and the VPN 3000 Concentrator meet the recommended administrative 
requirements. 
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Administrative Requirements for Installing Cisco SSL VPN 
Client 


Administrative Requirements 


Administrative Requirement | Description 


* Cisco VPN 3000 Series Concentrator running 
version 4.7 or later. 


« Altiga Networks VPN Concentrator running 
version 4.7 or later. 


* Windows XP or Windows 2000 only. 


¢ Administrator privileges 


The following table lists the administrative requirements for installing Cisco SSL VPN Client 
on the VPN 3000 Concentrator. 


Administrative Requirements for Installing Cisco SSL VPN Client 


Administrative Requirement Description 
Hardware m Cisco VPN 3000 Concentrator running version 4.7 or 
later 


a= Altiga Networks VPN Concentrator running version 4.7 


or later 
Operating System Windows XP or Windows 2000 only. 
Privileges Administrator privileges 


However, there can be instances where a user does not have administrator privileges on the 
remote system to install Cisco SSL VPN Client. In such a case, an install enabler utility, 
STCIE.EXE needs to be installed on the system. 


Note STCIE.EXE preloads a client service that allows non-privileged users to load Cisco SSL 
VPN Client. STCIE.EXE is included in the sslclient-win-1.0.1.116.zip file. 


STCIE.EXE creates or updates the Cisco SSL VPN Client in the Program Files > Cisco System 
folder, which the VPN 3000 Concentrator pushes to the remote system. 
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The following table lists the switches available with the STCIE.EXE utility: 


STCIE.EXE Command Line Switches 


Command Line Switch 


Description 


STCIE.EXE/? 


Displays the available command options. 


STCIE.EXE/HELP 


Displays the available command options. 


STCIE.EXE/NODLG 


Suppresses dialog boxes except for errors. 


STCIE.EXE/NODLGNOERROR 


Suppresses all dialog boxes, including errors. 
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Installing Cisco SSL VPN Client 


You can install Cisco SSL VPN Client on a client PC by performing the following steps: 


Installing Cisco SSL VPN Client 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


Step 8 


Step 9 


Step 10 


VPN 3000 


*) Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 


The Ciseo SST. VPN Client is not installed These settings override all group Cisco SST. VPN Clint settings 
Choose one of the following actions and click the Apply button: 


© Install a new Cisco SSL VPN Client | Browse... 


Apply | Cancel 


Cisco Systems 


Download the sslclient-win*.pkg file from the Cisco Web site by using the 
Cisco.com login to any location on the PC. 


On the Web browser window, enter the IP address of the VPN 3000 Concentrator, 
for example https://128.107.245.51/admin.htm. A security alert certificate dialog box is 
displayed. 


Click the Yes button to gain access to VPN 3000 Concentrator Series Manager. 


Enter the Username and Password in the Login and Password text boxes for 
authentication. Click the Login button. After successful authentication, the Main 
Page on the VPN 3000 Concentrator Series Manager window is displayed. 


Click Configuration to display the Configuration page. This page displays the 
features that can be configured. 


Click Tunneling and Security. 


Click WebVPN. This displays the options for WebVPN remote access sessions. The 
additional configuration options for WebVPN are SSL Encryption, HTTP, HTTPS, 
Interfaces, Base Groups, and Groups. 


Click Cisco SSL VPN Client. 


Click the Browse button to open the Choose File dialog box. Locate the Cisco SSL 
VPN Client package file, and then click the Open button. 


Click the Apply button to display the File Upload window. When the Upload 
Complete message appears, click Save Needed to save the configuration. 
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Step 11 On the Save Successful dialog box, click the OK button. 


To verify the installation of Cisco SSL VPN Client, click Cisco SSL VPN Client. 


Verifying Installation of Cisco SSL VPN Client 


VPN 3000 
Concentrator Series Manager Logged in: admin 


Configuration | Administration | Monitoring 


Cisco SSL VPN Client version (CISCO STC win2k+ 1.0.0 1,0,1,116 Wed 06/01/2005 01:25:05.43 } is enabled. 
These settings override all group Cisco SSL VPN Client settings. Choose one of the following actions and click 
the Apply button: 


Disable the Cisco SSL VPN Client 
@Enable the Cisco SSL VPN Client 
Uninstall the Cisco SSL VPN Client 
Olnstall a new Cisco SSL VPN Client 


(eenea] 


Cisco Srstews 


CSVPN v1.0—1 


Note that the options listed in the following table are displayed on the Web browser window: 


Cisco SSL VPN Client Options 


Option Description 

Disable the Cisco SSL VPN Client Select this radio button to disable the Cisco SSL VPN 
Client. 

Enable the Cisco SSL VPN Client Select this radio button to enable the Cisco SSL VPN 
Client. 

Uninstall the Cisco SSL VPN Client Select this radio button to remove the Cisco SSL 
VPN Client software image from the Cisco VPN 3000 
Concentrator. 

Install the Cisco SSL VPN Client Select this radio button to install a new Cisco SSL 
VPN Client application. 
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Configuring VPN 3000 Series Concentrator v 4.7 


This topic describes the several options that can be configured on the VPN 3000 Series 
Concentrator v 4.7. 


Configuring VPN 3000 Series Concentrator v4.7 


VPN 3000 Main | Help | Support| Logout 
Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? 
box and enter a new value to override base group values. 


[ Identity | General | IPSec | Cli i} Client HW Client | PPTP/L2TP | WebVPN | NAC | 
entity Parameters 
Attribute Description 
Group) 
Name! 


lEnter a unique name for the group 


Password! Enter the password for the group. 


erify the group's password. 


External groups are configured on an external authentication server (e.g 
intemal > RADIUS). Internal groups are configured on the VPN 3000 


\Concentrator's Internal Database 
Cancel 


Cisco Systews 
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Cisco VPN 3000 Series Concentrator v 4.7 provides several options that can be configured to 
meet customized requirements. For example, to enhance security, you can restrict a remote user 
to access the corporate network only during business hours or restrict the number of 
simultaneous logins to the corporate network from a remote user. To meet these requirements, 
you can configure the global parameters and options available on the General, Client Config 
and WebVPN tabs of the Cisco VPN 3000 Series Concentrator v 4.7. 
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Configuring Group Options on General Tab 


18-14 


The General tab can be divided into three sections. The first section enables you to configure 
the access rights and privileges. In the second section, you can configure DNS and the WINS 
information used by the client. The third section enables you to configure the tunneling 
protocols supported by the group. 


Configuring Group Options on General Tab 


YPN 3000 
Concentrator Series Manager 


Access Rights 
and Privileges 


DNS and 
WINS 


{ Tunneling 
Protocol 


Chee Srenus 


CSVPN v1.0—1 


The following table lists the components of the General tab. 


Components of the General Tab 


Components Description 


Access Hours Click this drop-down arrow and depending on your 
requirement, select any of the following option : 


= No Restrictions: No restrictions on access hours 
m Never: No access at any time 


m Business Hours: Access from 9 a.m. to 5 p.m., 
Monday to Friday 


Simultaneous Logins Enter the number of simultaneous logins provided 
for a single internal user. The default is 3, the 
minimum is 0, and there is no limit for maximum 
number of simultaneous logins. 
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Components 


Description 


Minimum Password Length 


Enter the user password. The minimum number of 
characters is 1, the default is 8, and the maximum is 
32. 


Allow Alphabetic-Only Passwords 


Select this check box to allow user passwords with 
alphabetic characters only. This option applies only to 
users who are authenticated by the VPN 3000 
Concentrator internal authentication server. However, 
it is recommended to set passwords that contain 
alphabetic characters, numbers, and symbols. 


Idle Timeout 


Enter the idle timeout period in minutes for 
terminating system connection when there is no 
communication activity. The minimum time is 1 
minute, the maximum is 10080 minutes, and the 
default time is 30 minutes. To disable timeout and 
allow an unlimited idle period, enter 0. 


Maximum Connect Time 


Enter the maximum user connection time in minutes 
at the end of which the system terminates the 
connection. The minimum time is one minute, and the 
maximum time is 2147483647 minutes. To allow 
unlimited connection time, enter 0. 


Filter 


Select the filter of the base group from the drop-down 
arrow. This component determines whether to allow 
or reject tunneled data packets coming through the 
VPN Concentrator based on criteria, such as source 
address, destination address, and protocol. You can 
choose None, Private, Public, or External. Moreover, 
additional filters that you configure also appear on 
this list. 


Primary DNS 


Enter the IP address of the primary DNS server for 
base-group users. The system sends this address to 
the client as the first DNS server to use for resolving 
host names. 


Secondary DNS 


Enter the IP address of the secondary DNS server for 
base-group users. The system sends this address to 
the client as the second DNS server to use for 
resolving host names. 


Primary WINS 


Enter the IP address of the primary WINS server for 
base-group users. The system sends this address to 
the client as the first WINS server to use for resolving 
host names under Windows NT. If the base group 
does not use WINS, leave this field blank. 


Secondary WINS 


Enter the IP address of the secondary WINS server 
for base-group users. The system sends this address 
to the client as the second WINS server to use for 
resolving host names under Windows NT. 


SEP Card Assignment 


Select the check boxes to assign a user to a given 
SEP or SEP-E module. By default, all the check 
boxes are selected. 


Tunneling Protocols 


Select the desired Tunneling Protocol check boxes to 
select the VPN tunneling protocols that users in this 
group can use. The WebVPN check box has been 
included in VPN 3000 Concentrator v4.7. WebVPN 
does not require a software or hardware client to 
establish a remote-access tunnel. 


Strip Realm 


Select this check box to remove the realm qualifier of 
the username during authentication. On selecting this 
check box, authentication is based on the username 
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only. Otherwise, authentication is based on the full 
username@realm string. You need to select this 
check box if your server is unable to parse delimiters. 


DHCP Network Scope 


Enter the IP sub-network that the DHCP server 
should assign to users in the group. To use this 
feature, the VPN 3000 Concentrator must be using a 
DHCP server for address assignment. 
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Configuring Group Options on Client Config Tab 


On this tab, you can set client configuration parameters separately for Cisco clients, Microsoft 
clients, and for clients common to Microsoft and Cisco. 


Configuring Group Options on Client song Tab 


\) VPN 3000 


Concentrator Series Manager 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter anew 
value to override base group values 


|_s3Policy Management Ident ral 3c | Client Config | Client FW | HW Client | PPTP/L2TP | WebVPH 
—GrTunneling and Seou Client Configuration Parameters 
/ErAdministration 


-HMonitoring Cisco Client Parameters 
Attribute Value Inherit?) Description 
Allow) 
Password! Check to allow the IPSec client to store the password 
Storage on! locally. 
Client} 
TPSec over Check to allow a client to operate through a NAT 
UDP| device using UDP encapsulation of ESP 


Enter the UDP port to be used for IPSec through 
INAT (4001 - 49151, except port 4500, which is 
reserved for NAT-T). 
© Select a method to use or disable backup 
Use Client Configured List setvers 
© Enter up to 10 IPSec backup server 
IPSec Backup addresses/names starting from high priority to 
Servers| low. 
« Enter each IPSec backup server addressiname 
ona single line 


IPSec over 
UDP Port| 


Cisco SystEMs 
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The following table lists the components of Cisco Clients Parameters that are on the Client 
Config tab. 


Cisco Client Parameters 


Components Description 


Allow Password Storage on Client Select this check box to allow IPSec clients to store their 
login passwords on their local client systems. If you do not 
allow password storage (the default), IPSec users must 
enter their password each time they seek access to the 
VPN. 


IPSec over UDP Select this check box for Cisco VPN Client (IPSec client) or 
VPN 3002 hardware client to connect to the VPN 
Concentrator through UDP through a firewall or router. This 
check box is not selected by default. 


IPSec over UDP Port Enter the UDP port number to use on the VPN 
Concentrator if you allow IPSec through NAT. Enter a 
number ranging from 4001 to 49151; default is 10000. 
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Components 


Description 


IPSec Backup Servers 


Select the appropriate backup server configuration. You 
can enter either the IP addresses or the hostnames of the 
VPN Concentrators that are to be configured as the backup 
servers. 
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Configuring Group Options on Client contig Tab 


VPN 3000 
Concentrator Series Manager 


Cisco Systems 


The following table lists the components of the Microsoft Clients Parameters on the Client 


Config tab. 


Help | Support | Logout 


Configuration | Administration | Mo: 
Microsoft Client Parameters 


Intercept 

DHCP| 
Configure 
Message 


iCheck to use group policy for clients requesting 


Microsoft DHCP options 


Subnet Mask 


[Enter the subnet mask for clients requesting Microsoft 


[DHCP options 


IE Proxy 
Server Policy 


Select the method, proxy server name, and exception 
jist to be used for IE Browser Proxy. 

Do not modify proxy settings: Leave the HTTP 

© Do not modify proxy settings, [Proxy Server Setting in Intemet Explorer unchanged 
O'No Proxy for the client PC 

© Auto Detect Proxy No Proxy: Disable the HTTP Proxy Setting in Internet 
O Use proxy serveriport listed below. lExplorer for the client PC 

|Auto Detect Proxy: Enable the use of Automatic 
proxy server detection in Internet Explorer for the 


TE Proxy 
Server 


client PC. 

Use proxy server/port listed below: Set the HTTP 
IProxy Server Setting in Intemet Explorer for the client 
PC to value below. 


IE Proxy 
Server 


[Enter the proxy server and port number for clients 
using Internet Explorer. Enter server names as IP 
numbers or DN'S names. Separate the proxy server 
addressiname from port number with a colon, "" 


Example: 
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Microsoft Client Parameters 


Components 


Description 


Intercept DHCP Configure Message | Select this check box to enable DHCP Intercept. DHCP 


Intercept allows Microsoft XP clients to implement split- 
tunneling with a VPN Concentrator. For Windows clients 
prior to XP, DHCP Intercept provides the domain name and 
subnet mask. 


Subnet Mask 


Enter the subnet masks for clients requesting Microsoft 
DHCP options. 
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Components 


Description 


IE Proxy Server Policy 


Choose from the following options: 


= Donot modify proxy settings: Leave the HTTP 
proxy server setting in Internet Explorer unchanged for 
the client PC. 


m No Proxy: Disable the HTTP proxy server, if any, 
configured in Internet Explorer on client PCs. 


= Auto Detect Proxy: Set Internet Explorer on the client 
PCs to use the automatic proxy detection feature. 


mu Use proxy server/port listed below: Set the HTTP 
proxy server setting in Internet Explorer on client PCs 
according to values that you configure in the IE Proxy 
Server field on this configuration screen. 


IE Proxy Server 


Enter the proxy server name or IP address and port 
number for use by Internet Explorer on Windows client 
PCs. The name or IP address must be separated from the 
number using a colon (:). Ensure that the Use proxy 
server/port listed below radio button is selected. 


IE Proxy Server Exception List 


Enter a list of domain names or specific addresses that 
should not be accessed through a proxy server, if desired. 


Bypass Proxy Server for Local 
Addresses 


Select the check box to allow local requests (addresses 
inside the enterprise network) bypass the proxy server. 


CSVPN v 4.7 Copyright © 2005, Cisco Systems, Inc. 


Configuring Group Options on Client contig Tab 


VPN 3000 
Concentrator Series Manager 


© 2005 Cisco Systems, Inc. All rights reserved 


The following table lists the components of the Common Client Parameters on the Client 


Config tab. 
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Main | Help | Support | Logout 


Common Client Parameters 


Banner 


ica] 


[Enter the banner for this group 


Split] 
Tunneling! 
Policy 


© Tunnel everything 


7 Allow the networks in list to bypass 
the tunnel 


© Only tunnel networks in the list 


Select the method and network list to be used for Split 
‘Tunneling. 

Tunnel Everything: Send all traffic through the 
tunnel, 

|Allow the networks in the list to bypass the 
tunnel: The VPN Client may choose to send traffic to 
addresses in this list to the client's LAN. Send all other 


Split 
Tunneling} 
Network List 


traffic through the tunnel, NOTE: This setting only 
apples to the Cisco VPN Client, 

Tunnel networks in the list: Send traffic to 
addresses in this list through the tunnel. Send all other 
itraffic to the client's LAN. 


Default| 
Domain| 
Name! 


Enter the default domain name given to users of this 
group. 


Split DNS| 
Names| 


Using Cisco VPN 3000 Series Concentrator v 4.7 


Enter the set of domains, separated by commas 
Lwithout spaces, to be resolved through the Split 
Tunnel. The Default Domain Name must be 
explicitly included in Split DNS Names list if it is to 


‘be resolved through the tunnel. 
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Common Client Parameters 


Components 


Description 


Banner 


Enter the welcome text that this group's IPSec clients see 
when they log in. The maximum length is 510 characters. 
You can use ASCII characters. 


In addition, you can also display a banner to VPN Clients, 
WebVPN users, and VPN 3002 hardware clients that are 
configured for individual user authentication. 


Split Tunneling Policy 


Choose from the following options: 


m= =Tunnel everything: This radio button is selected by 
default, it disables split tunneling. When Tunnel 
everything is configured, all traffic from remote clients 
in the group travels over the secure IPSec tunnel in 
encrypted form. In addition, the network traffic goes 
only to the VPN Concentrator. Remote users in this 
group reach internet networks through the corporate 
network and do not have access to local networks. 


If users in a group need access to local networks, select 
Allow networks in list to bypass tunnel check box. This 
allows you to send all data through the secure IPSec tunnel 
except for data to addresses on the network list. This 
option is useful for remote users who want to access 
devices on their local network, such as printers, while they 
are connected to the corporate network through a tunnel. 


= = Only tunnel networks in list: Select this radio button 
to send network traffic for addresses in the list in the 
secure IPSec tunnel. The network traffic to all other 
addresses is sent in unencrypted form. The purpose 
of this option is to allow remote users to access 
internet networks without requiring them to be 
tunneled through the corporate network. 


Split Tunneling Network List 


From the drop-down arrow, select the split tunneling 
address list to use with this group's remote-access IPSec 
clients. Both the Allow Networks in List to Bypass Tunnel 
option and the Only Tunnel Networks in List option make 
split tunneling decisions on the basis of a network list. 


Default Domain Name 


Enter the default domain name that the VPN Concentrator 
passes to the IPSec client. 


Split DNS Names 


Enter each domain name to be resolved by the internal 
server. Use commas but no spaces to separate the names. 
The VPN Concentrator does not support split-DNS for 
Microsoft VPN Clients; however, it does support split DNS 
for the Cisco VPN Client operating on Microsoft Windows 
Operating Systems. 
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Configuring Group Options on WebVPN Tab 


By using this tab, you can configure access to network resources for WebVPN users. 


Configuring Group Options on WebVPN Tab 


VPN 3000 Main | Help | Support| Logout 
Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 


Check the Inherit? box to set a field that you want to default to the base group value. Uncheck the Inherit? box and enter anew 
value to override base group values 


WebVPN Parameters 

Attribute Value Inherit? Description 
Enable URL Entry| Check to place the URL entry box onto the home page. 
Check to enable Windows file access through HTTPS. When 
Enable File Access! enabling File Access, a NetBIOS Name Server needs to be 
configured under System | Servers 


Check to place the file server entry box onto the home page. File 
‘Access must be enabled. 
Check to enable browsing the Windows network for 


Enable File Server Entry| 


Enable File Server 


zs domainstworkgroups, servers and shares. File Access must be 
Browsing 


enabled. 
Enable Port Forwarding] Check to enable port forwarding 


Enable 
Outlook/Exchange Proxy, 


Check to enable the Outlook/Exchange proxy. 


Check to apply the WebVPN ACL defined for the users of this 


Apply ACL) 
Apply = 


Cisco Systems Enable Auto Applet; 


Download Check to enable auto applet download on login. 
Tata 


ry a ear EY EE, AP SERPS Ee ES 
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You can perform the following steps to enable Cisco SSL VPN Client for Web VPN: 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


After logging on to VPN 3000 Series Concentrator Manager, click the 
Configuration menu. This displays the features that can be configured, which are 
Interfaces, System, User Management, Policy Management, and Tunneling and 
Security. 


Click User Management. This section allows you to configure group and user 
parameters, including IPSec, PPTP, and L2TP. 


Click Groups. You can configure groups in this section. A group is a collection of 
users treated as a single entity. A list of existing groups is displayed in the Current 
Groups option in this section. You also have the option of adding new groups to 
already existing ones, deleting groups, and also modifying groups by modifying the 
parameters. 


Select a group from the Current Groups list and click the Modify Group button. 
This opens the Modify SSL page. This section contains the General, IPSec, Client 
Config, Client FW, HW Client, PPTP/L2TP, WebVPN, and NAC tabs. You can 
click any of the tabs and modify the default parameters by not selecting the Inherit? 
check box. Select the Inherit? check box to set the field that you need to use as the 
default setting for the base group. 


Click WebVPN to modify the default parameters on the WebVPN tab. 


Select the Enable Cisco SSL VPN Client check box to enable Cisco SSL VPN 
Client. Click the Apply button to save the changes made. 


Click Save Needed to save the configuration. 
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Step 8 On the Save Successful dialog box, click the OK button. 


To log on to the Cisco SSL VPN Client, log on to the WebVPN URL, enter Username and 
Password. Notice that Cisco SSL VPN client is automatically installed on your system and a 
key icon appears on the taskbar. 


The following table lists the components of the WebVPN tab. 
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Component 


Description 


Enable URL Entry 


Select this check box to allow users to enter Web addresses in the URL entry 
box, and to use WebVPN to access those websites. You can limit the Internet 
access to WebVPN users by not selecting the Enable URL Entry check box. 
This prevents WebVPN users from surfing the Internet during a WebVPN 
connection. 


noe File Select this check box to allow users to access Windows files on the network. 
orbit They can download, edit, delete, rename, and move files. If you enable only 
this parameter for WebVPN file sharing, users can access only the servers 
that you configure in the Tunneling and Security page. 
mes te Select this check box to allow users to enter path names of Windows files 
i a directly. Users may need to be authenticated before accessing files. 
Enable File Select this check box to allow users to browse the Windows network for 


Server Browsing 


domains/workgroups, servers, and shares. Users can select domains and 
workgroups, and can browse servers and shares within those domains. Users 
may need to be required to authenticate before accessing servers. 


Enable Port Select this check box to allow users to access client/server applications by 
Forwarding ; 
mapping local TCP ports on the system to remote ports. 
Enable Select this check box to enable the Outlook/Exchange mail forwarding (MAPI) 
Outlook/Exchange a. 
Proxy ee 
Apply ACL Select this check box to apply the WebVPN Access Control List that is 
defined for the users of this group. 
Enable Auto 


Applet Download 


If WebVPN is enabled for the group. Select this check box to automatically 
start the port forwarding or Outlook/Exchange Proxy Java applet when users 
log on through WebVPN. 


Enable Citrix 
MetaFrame 


Select this check box to enable support for Citrix MetaFrame services through 
WebVPN. 


Enable Cisco SSL 
VPN Client 


Select this check box to enable Cisco SSL VPN Client (SVC). 


Require Cisco 
SSL VPN Client 


Select this check box to make the SSL VPN Client available for members of 
this group. When this is check box is selected, standard WebVPN 
connections are not permitted. This setting does not apply if the Enable Cisco 
SSL VPN Client check box is not selected. This check box is not selected by 
default. 


Keep Cisco SSL 
VPN Client 


Select this check box to allow clients to retain the Cisco SSL VPN Client 
software installed in their PCs, which speeds up access for subsequent 
connections. 


Port Forwarding 
Name 


Enter the display name that users see when using TCP Port Forwarding. 


Homepage 


Enter the default Web page that is displayed to users when they connect for 
the first time. 


Filter Java/Active 
x 


Select this check box to remove <applet>, <embed> and <object> tags from 
HTML. 
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HTML. 
Filter Scripts Select this check box to remove <script> tags from HTML. 
Filter Images Select this check box to remove <img> tags from HTML. 
i Select this check box to remove cookies that are delivered with images. 
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Configuring Global Parameters 


The topic describes the process involved in configuring system-wide parameters. 


Configuring Global Parameters 
EC eco\com man 


VPN 3000 


Concentrator Series Manager Logged in: admin 


[-BiPolcy Management 
‘Tunneling and Security 
ErAdminists ation 


-GHMonitoring 


Cisco Systems 


Configuration | Administration | Monitoring 


Save Neededfl 
This section of the VPN 3000 Concentrator Manager lets you configure system-wide parameters. 
Tn the left frame, or in the list of links below, click the parameters you want to configure 


« Servers -- authentication, authorization, accounting, DNS, DHCP, NBNS, and NTP. 
« Address Management -- address assignment options and address pools 
« D Routing -- static routes, default gateways, OSPF, global DHCP, and redundancy (VRRP) 
nent Protocols -- FTP, HTTP, TFTP, Telnet, SNMP, and XML. 
defaults, classes, trap destinations, syslog and SMTP servers, and e-mail, 
-- system name, contact, location, time and date, maximum sessions, global authentication, 
i Update -- enable, clients, URLs, revisions 
Balancing -- cluster configuration, priority, enable, etc 
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You can configure several global parameters on the sections available in Configuration > 
System. Using these sections you can configure servers, address management, IP routing, 
management protocols, and load balancing. 


m Servers—tThis section enables you to configure parameters for servers that authenticate 
users. The key servers include: 


— Authentication: You can configure Cisco VPN 3000 Series Concentrator internal 
server and external RADIUS, NT Domain, and SDI servers for authenticating users. 
Ensure that you configure at least one authentication server type, and one method of 
authenticating users. 


— Authorization: You can configure parameters for servers that authorize users. 
Authorization can be configured on a global or group basis. 


— Accounting: You can configure parameters for external RADIUS user accounting 
servers. You can configure and prioritize up to ten servers. The first server is the 
primary, and the rest are backup servers. Ensure that the servers you reference are 
properly configured. 


The other servers include DNS Server, DHCP Server, Firewall Server, NBNS Server, and NTP 


Server. 


m= Address Management—This section enables you to configure options for assigning 
addresses to clients when a tunnel is established. A client must have an IP address to 
function as a tunnel endpoint. This section includes Assignment and Pools components: 


— Assignment: This component enables you to configure options for assigning 
addresses to clients while establishing a tunnel. 
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— Pools: This component enables you to configure IP address pools from which Cisco 
VPN 3000 Series Concentrator assigns addresses to clients. You can also add and 
modify an IP address pool. 


= IP Routing—This section includes Static Routes, Default Gateways, Open Shortest Path 
First (OSPF), OSPF Areas, DHCP, Redundancy, and Reverse Route Injection components. 
In this section, you can configure several system-wide IP routing parameters. For example, 
in the Default Gateways component, you can configure the default gateway for IP routing, 
and tunneled traffic. When you configure a tunnel default gateway, Cisco VPN 3000 Series 
Concentrator forwards the tunnel-to-tunnel traffic to the tunnel default gateway. The 
gateway redirects the traffic back through Cisco VPN 3000 Series Concentrator to its 
destination. You can also override the default gateway by selecting the Override Default 
Gateway check box. 


m= Management Protocol—This section allows you to configure and enable built-in VPN 
Concentrator servers that provide management functions using FTP, HTTP, TFTP, Telnet, 
SNMP, SNMP Communities, and XML. 


m Events—This section enables you to configure how the VPN 3000 Concentrator handles 
several events, such as alarms, traps, and error conditions. 


m= General—This section enables you to configure several general parameters for Cisco VPN 
3000 Series Concentrator, such as Identification, Time and Date, Sessions, and Global 
Authentication Parameters. 


= Client Update—tThis section enables you to configure the client update feature. The client 
update feature is included in the VPN 3000 Concentrator to simplify the software update 
process. 


= Load Balancing—This section enables you to share the session load when you use two or 
more VPN Concentrators connected on the same network to handle remote sessions. 


You can also configure global parameters on the sections available in 
Configuration>Tunneling and Security>SSL>HTTPS and Configuration>Tunneling and 
Security>SSL>Protocols. 


m The SSL section allows you to set the Secure Socket Layer (SSL) options for management 
and WebVPN remote access sessions. A secure session between the remote user, also 
called a client, and the VPN Concentrator is created by SSL after successful authentication 
by the user. The components of SSL include: 


— HTTPS: You can configure HTTPS (HTTP over SSL) that allows you to use a Web 
browser over a secure and encrypted connection to manage the VPN 3000 
Concentrator. The following table lists the components of HTTPS section. 
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Components of HTTPS 


Component Description 

Enable HTTPS Select this check box for enabling the HTTPS server. The check box is 
selected by default. 

HTTPS Port Enter the port number that the HTTPS server uses. The default value is 
443. 


Client Authentication | Select this check box to enable SSL client authentication with digital 
certificates. This check box is not selected by default 


— Protocols: You can configure the encryption algorithms and SSL versions that the 
VPN Concentrator SSL server can negotiate with a client and use for encrypting a 
session. The following table lists the components of Protocols section. 


Components of Protocols 


Component Description 


Encryption Protocols | Select the check boxes for the encryption algorithms that the VPN 
Concentrator SSL server can negotiate with a client and use for session 
encryption. The check boxes are selected by default. Select at least one 
algorithm to enable SSL. 


if all the algorithms are not selected, SSL is disabled. 


SSL Version Click the drop-down arrow and select the SSL version. The version 
selected must match both sides of the connection. The options available 
are: Negotiate SSL V3/TLS V1, Negotiate SSL V3, SSL V3 Only, TLS V1 
Only, and Negotiate TLS V1. 


SSL Re-Key Interval | Enter the number of seconds between renegotiations of the SSL 
connection. This value applies to Cisco SSL VPN Clients. The range is 
300 seconds (5 minutes) to 604,800 seconds (one week). The default time 
is 86,400 seconds (one day). 
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Summary 


This topic summarizes the key points that were discussed in this lesson. 


Summary 


¢ Cisco VPN 3000 Series Concentrator running version 
4.7 or later offers extensive application support 
through its dynamically downloaded Cisco SSL VPN 
client for WebVPN. 


¢ Cisco SSL VPN Client provides secure access to the 
corporate network by establishing end-to-end, 
encrypted VPN tunnels. 


¢ STCIE.EXE utility enables a non-privileged users to 
install Cisco SSL VPN client on a system. 


¢ Configure the global parameters and options 
available on the General, Client Config and WebVPN 
tabs of Cisco VPN 3000 Series Concentrator v 4.7 to 
meet customized requirements. 
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Lab-Exercise—Install Cisco SSL VPN Client and 
Configure VPN 3000 Series Concentrator v4.7 


Complete the following lab exercise to practice what you learned in this chapter. 


Objectives 


Your task in this lab exercise is to install Cisco SSL VPN Client and configure the VPN 3000 
Series Concentrator v4.7. Work with your lab partner to complete the following tasks: 


™ Complete the lab exercise setup. 
m Install Cisco SSL VPN Client 
™ Configure the VPN 3000 Series Concentrator v4.7 


Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


172.26.26.P. 172.26.26.0 
“Se I << 
Student PC 192.168.P.0 
Cisco VPN Client 
Cisco VPN 


3000 Series 
Concentrator 


Scenario 


You are working as a network administrator in your organization. The senior network 
administrator has assigned you the task of installing Cisco SSL VPN Client and configuring the 
VPN 3000 Series Concentrator v 4.7 to enhance network security. 


Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify your equipment as follows: 


m= Ensure that your student PC is powered on. 
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m Ensure your student PC IP addresses are configured correctly: 


Primary IP address—172.26.26.P (where P = pod number) 
Default gateway IP address—172.26.26.150 


m Ensure that your Concentrator is powered on. 


Task 2—Install Cisco SSL VPN Client 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 
Step 6 


Step 7 


Step 8 


Step 9 


Step 10 


Complete the following steps to install Cisco SSL VPN Client. 


Download the sslclient-win*.pkg file from Cisco Web site by using the Cisco.com 
login to any location on the PC. 


On the Web browser window, enter the IP address of the VPN 3000 Concentrator. 


When a security alert certificate dialog box is displayed, click the Yes button to gain 
access to the VPN 3000 Concentrator Series Manager window. 


Enter the username and password the Login and Password text boxes for 
authentication. Click the Login button. 


Click Configuration > Tunneling and Security > WebVPN. 
Click Cisco SSL VPN Client. 


Click the Browse button to open the Choose File dialog box. Locate the Cisco SSL 
VPN Client package file, and then click the Open button. 


Click the Apply button to display the File Upload window. When the Upload 
complete message appears, click Save Needed. 


Click the OK button on the Save Successful dialog box. 


Click Cisco SSL VPN Client to verify the installation of Cisco SSL VPN Client. 
Note that the four options, Enable Cisco SSL VPN Client, Disable Cisco SSL VPN 
Client, Install Cisco SSL VPN Client, and Uninstall Cisco SSL VPN Client appear 
on the Web page. 


Task 3—Configure VPN 3000 Series Concentrator v 4.7 
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Step 1 
Step 2 
Step 3 
Step 4 
Step 5 
Step 6 
Step 7 


Step 8 


Complete the following steps to configure VPN 3000 Series Concentrator. 

Log on to the VPN 3000 Series Concentrator Manager window. 

Click Configuration > User Management > Groups. 

Select a group from the Current Groups list and click the Modify Group button. 
Click WebVPN. 

Select the Enable Cisco SSL VPN Client check box. 

Click the Apply button. 

Click Save Needed. 


Click the OK button on the Save Successful dialog box. 
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Lesson 2 | 


Installing and Configuring 
Cisco Secure Desktop 


Overview 


This chapter explains how the Cisco Secure Desktop (CSD) works, and also describes the 
procedure to install and configure it. It includes the following topics: 


m Objectives 

m Cisco Secure Desktop—An Overview 

m Installing Cisco Secure Desktop 

m Identifying Secure Desktop Manager Options 
™ Configuring Secure Desktop Manager Options 
m Enabling Cisco Secure Desktop 

= Summary 


= Lab Exercise 


Objectives 


This section lists the chapter’s objectives. 


Objectives 


Upon completion of this course, you will be 
able to perform the following tasks: 
* Explain how Cisco Secure Desktop works. 


¢ Install Cisco Secure Desktop on the VPN 3000 
Concentrator. 


° Identify the Secure Desktop Manager options. 
* Configure the Secure Desktop Manager options. 


¢ Enable Cisco Secure Desktop on the VPN 3000 
Concentrator. 
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Cisco Secure Desktop—An Overview 
This topic describes how the CSD works. 


Cisco Secure Desktop—An Overview 


CSVPN v1.0—2-2 


Enterprises are increasingly expected to provide secure remote access to the corporate network 
for a diverse mix of users. It is also essential that this access to the corporate network is secure 
for both the remote user and the corporate network. WebVPN is used to securely extend the 
corporate network to an authorized user. The main advantage of WebVPN is that users can 
securely access their corporate network from any supported browser. This means that they are 
not required to install any VPN client software on their system. 


However, this extension of network also entails an increase in the points for potential network 
security attacks. These WebVPN endpoint security issues are addressed with the use of CSD. 
CSD is an endpoint security solution that offers data theft prevention, so that confidential data 
does not remain unprotected on a remote system. CSD ensures complete data protection by 
offering an encrypted space for users throughout an SSL session. CSD provides preconnection 
security state or "posture" assessment of the connecting device. It also offers security during the 
session by creating a secure virtual desktop that protects sensitive data. Finally, CSD also 
provides postconnection “clean-up” that eliminates all traces of sensitive session information. 


When a remote user attempts to connect to the corporate network, CSD is downloaded to the 
user’s desktop via Active X, Java or .exe. The CSD Host Integrity Verification feature performs 
preconnection posture assessment to certify that the endpoint seeking access possesses the 
particular antivirus, firewall, and OS or service pack features that are required. It also detects 
installed malware before granting access to the network. CSD then creates a secure vault for all 
session information by generating a virtual desktop, on the user system. During the session, all 
information is encrypted and written onto the CSD partition on the hard drive. 


At the close of the session, the secure vault is eradicated and all session information including 
cache files, history, cookies, file downloads, and passwords are encrypted real time. This 
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ensures that all data is protected from the start of the session. The automatic timeout feature of 
CSD ensures that session information is erased, when the session times out. 
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Installing Cisco Secure Desktop 


This topic describes how to install CSD on the VPN 3000 concentrator. 


Installing Cisco Secure Desktop 


VPN 3000 Main | Help | Support| Logout 
Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 


Configuration | Tunneling and Security | WebVPN | Secure Desktop | Setup 
Secure Desktop version 3.0.2.275 is currently installed and enabled. Choose one of the following actions and 
click the Apply button: 


O©Disable Secure Desktop 
©Enable Secure Desktop 
©Uninstall Secure Desktop 

@ Install a new Secure Desktop 


Apply...] [Cancel] 


Cisco Systems 


To install CSD, you need to first download the securedesktop*.pkg file. You can then install 
the securedesktop*.pkg file in the VPN 3000 Concentrator Series Manager application, and 
then configure the settings before you enable it for remote users over WebVPN. 


Note Before you start the installation process, download the CSD installation file and then copy it 
to any location on your management PC. 


[O]To install CSD, do the following: 


Step 1 Connect to the VPN 3000 Series Concentrator, and log on to the VPN 
Concentrator Manager application. 


Step 2 In the home page of VPN Concentrator Manager, click Configuration > 
Tunneling and Security > WebVPN > Secure Desktop > Setup window. 


Step 3 Click the Install a new Secure Desktop radio button. 


Step 4 Click the Browse button and then locate the CSD installation file on your 
management PC. 


Step 5 Click the Apply button. The CSD is installed in the VPN Concentrator Manager 
and a Secure Desktop Package Upload Success window is displayed. 


Step 6 Click Save Needed to save the settings. 
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Step 7 Click the OK button when the Save Successful message box appears. 


Tip Users having a valid Cisco.com login ID with privileges to download the VPN software can 
click http:/Awww.cisco.com/cgi-bin/tablebuild.pl/vpn3000-3des to download the 
securedesktop*.pkg file. 
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Identifying Secure Desktop Manager Options 


This topic describes the different Secure Desktop Manager options that you can configure. 


Identifying Secure Desktop Manager. Options 


L) VPN 3000 


Concentrator Series Manager 


RMT SecURE DESKTOP MANAGER for Wes 


‘saciicallla 
@ setengs Saved cure Desi 


This interface lets you set up all the settings of the Secure Desktop end-user experience. 


Access settings by clicking on elements in the Secure Desktop Manager sub-tree at near left, IF you make 

& Mec & Linux Cache Cleaner changes, click "Save" when it appears above the sub-tree, 

“FY Uniosd/Downoad Settings Ta begin configuration click an "Windows Location Settings" and define the different locations that users wil 

connect from, Then define the settings for each of the locations using the locations sub-tree items, Click on. 
ie "Mac B. Linux Cache Cleaner" to configure the settings for Mac & Linux users, You can also use "Upload j 

Download Settings" to upload any saved configurations or download the current configuration, 


Cisco Systiws 
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CSD contains a customizable suite of security tools that you can configure for various 
deployment scenarios. By doing this, you can secure remote systems and enforce your 
company’s network security policies. You can configure these options in Secure Desktop 
Manager software for WebVPN that runs within the VPN Concentrator Manager application. 
To configure CSD settings for client computers, you need to navigate to the Configuration 
>Tunneling and Security > WebVPN > Secure Desktop > Manager window. The Secure 
Desktop Manager window initially has these options: 


= Windows Location Settings 
= Mac & Linux Cache Cleaner 


" Upload/Download Settings 
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Configuring Secure Desktop Manager Options 


This topic describes how to configure the Secure Desktop Manager options. 


Configuring Secure Desktop Manager Options 


VPN 3000 


Main | Help | Support| Logout 
Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 
Cuca 


WAM. SECURE DESKTOP MANAGER for WEBVPN 


@ sctiiesseved [Secure Desktop Manager 


A This interface lets you set up all the settings of the Secure Desktop end-user experience. 


Access settings by dicking on elements in the Secure Desktop Manager sub-tree at near left, IF you make 
6 Mac &Linux Cache Cleaner changes, click “Save” when it appears above the sub-tree, 


‘N, UploadjOownload Settings 


To begin configuration click an "Windows Location Settings” and define the different locations that users will 

connect From. Then define the settings for each of the locations using the locations sub-tree items, Click on 
1e "Mac & Linux Cache Cleaner” to configure the settings For Mac & Linux users, You can also use "Upload j 

Download Settings" to upload any saved configurations or download the current configuration. 
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To configure the secure desktop manager options, you need to click Windows Location 
Settings and define the different locations that users will connect from. Then define the settings 
for each of the locations using the locations subtree items. Click Mac & Linux Cache Cleaner 
to configure the settings for Mac & Linux users. To upload any saved configurations or 
download the current configuration, click Upload/Download Settings. 
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Configuring the Windows Location Settings 


By configuring the Windows locations, you can allow CSD to deploy an appropriate secure 
environment for the hosts that connect through the VPN. It is in the administrator’s best 
interests to increase security on hosts that are likely to be insecure, while offering flexibility to 
hosts that are deemed secure. 


Configuring the Windows Location Settings 


‘ VPN 3000 Main | Help | Support| Logout 
f Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 


Cuca fares anne a 


settings saved 


BB Secure Desktop Manager 
RY Windows Location Settings 
(0G Mac & Linux Cache Cleaner 
‘N, Upload/Download Settings 


Close all opened browser windows upon installation 


Enable web browsing If Windows installation or location matching falls 
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You can use the Windows Location settings option to create a group of settings for Windows 
clients connecting from a particular type of location, such as Work, Home, or an Internet Cafe. 
For example, clients connecting from within a workplace LAN on a 10.x.x.x network behind a 
NAT device are not at risk for exposing confidential information. For these clients, a network 
administrator might set up a CSD Windows Location named Work that is specified by IP 
addresses on the 10.x.x.x network, and disable both the Cache Cleaner and the Secure Desktop 
function for this location. 


In contrast, users’ home PCs might be considered more at risk to viruses due to their mixed use. 
For these clients, you might set up a location named Home that is specified by a corporate- 
supplied certificate that employees install on their home PCs. This location would require the 
presence of antivirus software and specific, supported operating systems to grant full access to 
the network. 


After you create a Windows location name, you can also configure other options such as VPN 
Feature Policy, Cache Cleaner, and Secure Desktop features for that location. Network 
administrators need to first consider the different hosts that will connect through the VPN and 
then consider what modules and criteria are needed to secure these hosts. When you configure 
multiple Windows location names, CSD checks locations in the order listed on the Windows 
Location Settings window. CSD then grants privileges to a client PC based on the first location 
definition it matches. You can view the Lists the locations that you have configured in the order 
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of priority. However, you can change this priority order for locations by choosing a location 
name and clicking the Move Up and Move Down button. 


Note Begin configuring CSD by defining Windows Locations. Windows Locations apply to 
supported Microsoft Windows clients only; they do not apply to Macintosh and Linux clients. 


To create a Windows location name, do the following: 


Step 1 Connect to the VPN 3000 Series Concentrator, and log in to the VPN 
Concentrator Manager application. 


Step 2 In the home page of VPN Concentrator Manager, click Configuration > 
Tunneling and Security > WebVPN > Secure Desktop > Manager window. 


Step 3 Click Windows Location Settings in the subtree on the left panel of the Secure 
Desktop Manager window. 


Step 4 Enter the location name in the Location name text box, and then click Add. 
Step 5 Click Save to save the changes. 


You can remove unsecured Web browser sessions when CSD is installed by selecting the Close 
all opened browser windows upon installation check box. This option applies to all the 
Windows locations. You can also configure the Windows location settings to allow Windows 
clients use the VPN to browse the Web as a minimal connection option, if the client PC does 
not match any of the configured locations criteria. This is done by selecting the If Windows 
installation or location matching fails, enable web browsing check box. 
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Identifying the Windows Location Name 


To define and configure the settings for a window location, click the location name. When you 
click location name, the identification window opens. This window enables you to specify the 
criterion that defines the location. A location can be based on a certificate, an IP address range, 
the presence or the absence of a particular file or registry entry. 


Identifying the Windows Location name 


VPN 3000 


Concentrator Series Manager 


sce Sesrens 


@ settings saved 


AB Secure Desktop Manager 
ARE Windows Location Settings 
=) Home 
(GF Cache Cleaner 
"8 VPN Feature Policy 


er 
‘N, Upload/Download Settings 
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Main | Help | Support| Logout 


Logged in: admin 
Configuration | Administration | Monitoring 


\GER for WEBVPN 
r jome_ 


Enable identificstion using certificate criteria: 


Enable identification using IP criteria: 


J 
a 


Enable Identification using File or Registry criteria 


© secure Vesktop or [1] Cache Cleaner 
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There are three identification criteria that you can provide for a Windows location name. They 


are: 


=" Enable identification using certificate criteria—Y ou can select this option to allow 
CSD to identify the client computer by the certificate. If you select this option you 
must provide the certificate information with the Name (company) and Issuer 


(certificate). 


«Enable identification using IP criteria—You can select this option to allow CSD 
search the IP addresses of the client trying to connect. If the client has an address 
within the specified range, CSD will validate the location. If the client has more than 
one network card, CSD will use only the address of the first card that has been 
detected. If you select this option, you must enter one or more IP Address ranges, by 


clicking the Add button. 


= Enable identification using File or Registry criteria—Y ou can select this option to 
allow CSD to identify the clients trying to connect to the specified files or registry 
keys. If the client has these files or registry keys, CSD will validate the location. If you 
select this option, you must enter one or more file or registry names and strings by 
clicking the Add button. You can enter the file or registry key information and set the 
condition by using a number of check boxes and drop down items. 


= Use Module — You can use this option to select the CSD module that you need for a 
particular location. The options from which you can choose are Cache Cleaner, 
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Secure Desktop, or neither. You cannot use the Cache Cleaner and Secure Desktop at 
the same time. If neither is selected, the VPN Feature Policy will be applied. 


CSD considers the three locations criteria in a logical “AND” relationship. For example, you 
can specify an IP address range under Enable identification using IP criteria. You can also 
specify “File company_software.exe #does exist#” under Enable identification using File or 
Registry criteria. Therefore the client must meet both these conditions to match the location. 
However, within each area, only one of the criteria you specify must match. This is because 
CSD considers the criteria in a logical “OR” relationship. Hence, if you specify several files 
under Enable identification using File or Registry criteria, only one of these files will be 
present. 


Note If you need to install CSD to all the clients regardless of their status, you can configure only 
one location without specifying a certificate, an IP address, a file or registry criteria. This 
default location will enable all your remote users to connect from any computer. 


18-46 CSVPN v 4.7 Copyright © 2005, Cisco Systems, Inc. Copyright © 2005, Cisco Systems, Inc. 


Configuring the Cache Cleaner Options 


The Cache Cleaner option erases all data that a user downloaded, inserted, or created in the 
browser, including cached files, configuration changes, cached browser information, passwords 
entered, and auto completed information. 


Configuring the Cache Cleaner Options 


VPN 3000 


Concentrator Series Manager 


[Cache Cleaner 


@ settings Saved 


BA Secure Desktop Manager Oo Launch hidden URL after installation 
ARE Windows Location Settings I 
©) ffi Home 
a 


leaner 
“Ba VPN Feature Poicy Show message at the end of successful installation 
{By Secure Desktop General Launch cleanup upon inactivity timeout 
{hy Secure Desktop Settings 
@B Secure Desktop Browser | Tmeoutafter: — [Sminutes_[w 

1G Mac & Linux Cache Cleaner 

AN, Upload/Download Settings Launch cleanup upon closing of all browser instances 


a Disable cancellation of clearing 


o lean the whole cache in addition to the current session cache (IE 
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While configuring the Cache Cleaner option, you can configure the following options based on 
your network requirements: 


= Launch hidden URL after installation —Select this option to enter the URL that you 
use for administrative purposes, to know if the client has the Cache Cleaner installed. 
For example, you can place a cookie file on the client's computer, and then check for 
the presence of that cookie. 


= Show message at the end of successful installation —Select this option to display a 
message box on client*s computer. 


= Launch cleanup upon inactivity timeout —Select this option to set a specific timeout 
period at which the cleanup would begin. You can set the timeout period in the 
Timeout after option. This option is an inactivity timer. 


= Launch cleanup upon closing of all browser instances —Select this option to enable 
a cleanup after all the browser windows are closed. 


« Disable cancellation of cleaning —Select this option to disable the cancel feature. 
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= Clean the whole cache —Select this option to remove all the data from the Internet 
Explorer cache. This will remove all the data from the time of activation including all 
the files that were generated before the client’s CSD session began. 


Note The Cache Cleaner works with Microsoft Internet Explorer 5.0 or later on Windows 98, ME, 
NT 4, 2000, and XP; Internet Explorer 5.2 or later, or Safari 1.0 or later, on Macintosh 
(MacOS X); and Mozilla 1.1 or later on Red Hat Linux v9. 
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Configuring the VPN Feature Policy 


By using the VPN Feature Policy option in the Secure Desktop Manager, you can conditionally 
or unconditionally enable a feature for the Windows location. As a network administrator, you 
need to secure enterprise networks and data by configuring the system detection. By using 
System Detection, you can confirm the presence of antivirus software, personal firewall 
software, and Windows service packs in the client's computer as a condition to enable particular 
features. 


Configuring the VPN Feature Policy 


VPN 3000 Main | Help | Support| Logout 
- Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 


WARM SECURE DESKTOP MANAGER for WEBVPN 


@ Settings Saved 


BR Secure Desktop Manager 
ARE Windows Location Settings 
ia 


LeWwebven 
[-—HTIPMTTPS Proxy 
[Home Page 


[—Loao fr er 
|—E.nsil Proxy. ‘N, Upload/Download Settings 


}—Setvers and URLs 
| Port Forwarding 
[Cisco SSL VPN Client 
‘Secure Desktop 


Full Tunneling: 


Cisco Systems 


CSVPN v1.0—2-9 


To enable a feature for the location unconditionally, you can select the ON option from the 
drop down list next to the name of the feature. If you require specified software or security to 
be present for the client, you can select the ON if criteria are matched option from the drop 
down list. You can then click the associated ellipsis (...) button to open the dialog window. 


In this window, you can enable System Detection for antivirus software, personal firewall, 
service packs, and Secure Desktop or Cache Cleaner. You can click one or more of the security 
categories to require their presence as a condition. Then, you can enable the features selected in 
the previous window. For each enabled security category, you can select one of the options or 
multiple options. The browser will highlight the options as you select. However, you can select 
only one option next to the Feature category. 


CSD considers the criteria within each category in a logical “OR” relationship. For example, if 
you specify several antivirus programs, only one of these antivirus programs will be present. 
The relationship between categories is an “AND” relationship, so you can select only one 
category. The selected category must pass the System Detection check. If you select all 
categories, then the client has to meet all the conditions set by the criteria. Therefore the client 
must have anti-virus software, a personal firewall, a service pack and a Secure Desktop feature 
that matches the options selected in this window. 
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The categories and options available in this window are as follows: 


m Anti-Virus—Select this option to enable System Detection for the anti-virus software. You 
can specify any of the anti-virus software in the list, and if one of them is available, this 
criterion will be met. The options among the anti-virus programs have an “OR” 
relationship, therefore the client’s computer has to run any one of the anti-virus software 
programs that you have selected. System Detection checks for the following anti-virus 
software programs: 


— eTrust Antivirus (7.0 through 2005) 
— F-Secure Antivirus (2003 through 2005) 
— McAfee VirusScan (8.0 through 9.0, Enterprise 7.0 through 8.0) 


— Norton AntiVirus For Windows (Corporate 8.0 through 9.0, Professional 2004 
through 2005) 


— Panda AntiVirus Platinum (7.0 through 8.0) or Titanium 2004 
— PC-cillin 2003 or 2004 

— Trend Micro PC-cillin Internet Security 2004 

— Microsoft Windows AntiSpyware (beta1) 


m Firewall — Select this option to enable System Detection for personal firewall. You can 
specify any personal firewall in the list, and if one of them is running, this criterion will be 
met. The choices among personal firewalls have an “OR” relationship. Therefore, the 
client’s computer must be running any one of the personal firewalls that you have selected. 
The personal firewall software that the System Detection checks for are as follows: 


— Cisco Security Agent (4.0 through 4.5) 

— Internet Connection Firewall (ICF) (Windows XP through XP SP2) 
— ISS BlackICE PC Protection (3.6) 

— McAfee Personal Firewall (4.0 through 5.0) 

— Norton Personal Firewall (2003 through 2005) 

— Sygate Personal Firewall (5.0 through 5.5) 

— ZoneAlarm Personal Firewall (4.0 through 5.0) 


m= OS—Select this option to enable System Detection for a particular operating system and 
service pack. The choices among service packs have an “OR” relationship. Therefore, the 
client's computer has to run one of the operating system and service pack combination that 
you have selected. The operating systems and service packs that System Detection checks 
for are as follows: 
— Windows XP 
— Windows XP Service Pack 1 
— Windows XP Service Pack 2 
— Windows 2000 
— Windows 2000 Service Pack 1 


— Windows 2000 Service Pack 2 
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— Windows 2000 Service Pack 3 
— Windows 2000 Service Pack 4 
— Windows NT Service Pack 6 
— Windows Millennium Edition 
— Windows 98 


m Feature—Select this option to enable System Detection for one of the two core CSD 
features, Secure Desktop or Cache Cleaner. You can select one of these features from the 
drop down list. If the CSD feature is not active in other components the client will fail 
when the VPN Feature Policy criteria check is performed. 


Copyright © 2005, Cisco Systems, Inc. Using Cisco VPN 3000 Series Concentrator v 4.7 18-51 


Configuring Secure Desktop General 


You can configure this setting for a location name, to either enable or disable the Secure 
Desktop features to customize the user experience. 


Configuring Secure Desktop General 


VPN 3000 Main | Help | Support| Logout 
Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 
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You can select the following options as required by your network: 


= Automatically switch to Secure Desktop after Installation—Select this option to enable 


Secure Desktop to load automatically after the installation. 


Check for keystroke logger before Secure Desktop creation—Select this option to check 
if a keystroke logging application is not running on the client’s computer before the Secure 
Desktop space is created. This feature can be enabled only in hosts, where the client has 
administrator privileges. 


Enable switching between Secure Desktop and Local Desktop—Select this option to 
enable your clients to switch between the Secure Desktop and the untrusted desktop. This is 
known as desktop switching. This provides the clients with the flexibility of responding to 
a prompt from another application. To enable the CSD to continue processing your client, 
click the OK button. 


Note Deselecting this attribute eliminates the potential security risk posed by a user who leaves 


traces on the untrusted desktop. Thus, you may choose to deselect this option if the security 
risk is a bigger issue than the deployment advantages of the alternative. 


= Enable Vault Reuse—Select this option to allow users to close the Secure Desktop and 


open it again at a later time, creating a persistent desktop that is available from one session 
to the next. If you enable this option, users must enter a password (up to 127 characters in 
length) when CSD creates the Secure Desktop. This is useful if users are running the 
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Secure Desktop on computers that are likely to be reused; for example, a home computer. 
When a user closes the Secure Desktop, the Vault is not wiped out. If you do not enable 
this option, CSD automatically destroys the Vault at the end of each Secure Desktop 
session. 


m Enable Secure Desktop inactivity timeout—Select this option to specify the duration of 
inactivity after which CSD automatically closes the Secure Desktop. Choose a value from 
the Timeout After drop down menu. Because CSD is running on the client machine, it can 
detect inactivity and close the Secure Desktop. Note that this works only if the Enable 
switching between Secure Desktop and Local Desktop option is checked. 


= Open following Web page after Secure Desktop closes—Select this option and type a 
URL in the text box to allow CSD automatically open a web page when the Secure Desktop 
closes. 


m Suggest application uninstall upon Secure Desktop closing—Select this option to 
prompt the user and recommend that the Secure Desktop be uninstalled when it closes. 
However, the user has the choice to refuse the uninstallation. 


Note Leave this option disabled for users to be able to use the Vault. By selecting this option, you 
can uninstall the Vault from the user's computer when the Secure Desktop closes. 


= Force Uninstall of application when Secure Desktop closes—Select this option, to 
disable the Secure Desktop application on untrusted computers after users are done using it. 
CSD uninstalls when it closes. 


Note Leave this option disabled for the users to be able to use the Vault. Selecting this option 
uninstalls the Vault from the user's computer when the Secure Desktop closes. 
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Configuring Secure Desktop Settings 


You can click the Secure Desktop Settings icon for a particular location to place restrictions 
on the Secure Desktop experience. The Secure Desktop Settings window appears. 


Configuring Secure Desktop Settings 


} VPN 3000 Main | Help | Support| Logout 
2 Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 
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@ settings Saved 
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You can select the following options in this window to apply the associated restrictions: 


m Put Secure Desktop in restricted mode—Select this option to enable only the originating 
browser run on the Secure Desktop. Therefore, the browser that started CSD (Internet 
Explorer, Netscape, Firefox, etc.) will be the only browser permitted to run in the Secure 
Desktop mode. By selecting this option, you can limit the client's ability to use other 
applications, thereby providing high security. 


= Restrict Registry tools on Secure Desktop—Select this option to prevent the client from 
modifying the registry within the Secure Desktop. 


= Restrict DOS-CMD tools on Secure Desktop—Select this option to prevent the client 
from running the DOS command prompt within the Secure Desktop. 


= Restrict Printing on Secure Desktop—Select this option to prevent the client from 
printing while using the Secure Desktop space. By selecting this option, you can ensure that 
the sensitive information is always secure. 
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Configuring Secure Desktop Browser Settings 


You can click the Secure Desktop Browser icon for a particular location to customize the 


settings for the Secure Desktop browser. 


Configuring Secure Desktop Browser 
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You can customize the browser settings by changing the default home page and customizing 
bookmarks by adding favorite URLs to the default Favorites folder. You can also create 
subfolders under the default Favorites folder to add a bookmark of the URLs. 
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Configuring the Mac & Linux Cache Cleaner 


To set up CSD for Macintosh and Linux clients, you need to configure the Mac & Linux 
Cache Cleaner option. 


Configuring the Mac & Linux Cache Cleaner 
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To configure the cache cleaner option for Macintosh and Linux clients, click Mac & Linux 
Cache Cleaner in the subtree on the left. The Cache Cleaner—Mac & Linux window 
appears. 


In this Window, you can set the following attributes: 


Launch cleanup upon global timeout/Timeout after — Select this option to set a global 
timeout after which CSD will launch the Cache Cleaner. You can also set the timeout 
period from the drop-down list. 


Let user reset timeout—Select this option to enable your client to reset the timeout period. 


Launch cleanup upon exiting of browser—Select this option to launch a cache cleaning 
after the client closes all the browser instances. 


Enable Cancel button of cleaning—Select this option to enable your client to cancel the 
cache cleaning. 


Enable web browsing if Mac or Linux installation fails—Select this option to enable the 
remote clients to browse the web (with other remote access features disabled), if the 
Cache Cleaner installation fails. 
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= Web Browsing/File Access/Port Forwarding—Select ON or OFF to enable or disable 
these features. These attributes allows you to set the VPN Feature Policy for Macintosh and 
Linux users. This is similar to the way you set the VPN Feature Policy for Windows users, 
but without criteria checking and not on a location specific basis. 
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Reusing the Configuration Settings 


To reuse the Secure Desktop settings in configurations for additional secure gateways, click the 
Upload/Download Settings in the Secure Desktop Manager menu. The Upload/Download 
Configuration window appears. 


Reusing the Configuration Settings 
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If you want to retain the Secure Desktop configuration for later retrieval for the development of 
additional secure gateway configurations, click the Download button to save the current CSD 
configuration in an XML format. In response, another browser window opens, displaying the 
current configuration as an XML file. Save the file to your local computer. 


To reuse the configuration settings, Copy the contents of an XML file containing a previously 
saved configuration and paste it in the Upload Configuration text box, then click on the Upload 
button. The CSD loads the settings into the current configuration. 
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Enabling Cisco Secure Desktop 


This topic describes how to enable CSD in the VPN 3000 series concentrator. 


Enabling Cisco Secure Desktop 


VPN 3000 Main | Help | Support| Logout 
Concentrator Series Manager Logged in: admin 
Configuration | Administration | Monitoring 


Secure Desktop version 3.0.2.275 is currently installed and enabled Choose one of the following actions and 
click the Apply button: 


ODisable Secure Desktop 

@Enable Secure Desktop 

Uninstall Secure Desktop 

Olnstall a new Secure Desktop (Browse) 


Apply _] (| Cancel 


Cisco Systeus 


CSVPN v1.0—2-15 


For security reasons, after you install CSD, it is not enabled by default. The threat of potential 
network attacks is very high, if you allow anybody to use CSD without specifying the access 
criteria such as antivirus, Operating System, and IP based location settings. Hence it is 
recommended, that you configure the Secure Desktop security policies before enabling it for 
the users. 


To enable CSD, do the following: 


Step 1 Connect to the VPN 3000 Series Concentrator, and log in to the VPN 
Concentrator Manager application. 


Step 2 In the home page of VPN Concentrator Manager, click Configuration > 
Tunneling and Security > WebVPN > Secure Desktop > Setup window. 


Step 3 In the Secure Desktop window, click the Enable Secure Desktop radio button. 


Step 4 Click Apply and then click the Save Needed button to save the changes. 
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Summary 


This section summarizes the information you learned in this chapter. 


Summary 
eee Ciscocom: | 
¢ Cisco WebVPN solution offers Cisco Secure Desktop 
(CSD) to create a secure and customizable SSL VPN 

session for data theft prevention at the endpoint. 


* CSD provides preconnection security state or 
“posture” assessment of the connecting device. It 
also offers security during the session by creating a 
secure virtual desktop that protects sensitive data. 


* You need to install the securedesktop*.pkg file on 
the VPN 3000 concentrator, and then configure the 
settings before you enable it for remote users over 
WebVPN. 


18-60 CSVPN v 4.7 Copyright © 2005, Cisco Systems, Inc. Copyright © 2005, Cisco Systems, Inc. 


Lab Exercise—Installing and Configuring Cisco 
Secure Desktop 


Complete the following lab exercise to practice what you learned in this chapter. 


Objectives 


Your task in this lab exercise is to install and configure the Cisco Secure Desktop (CSD). Work 
with your lab partner to complete the following tasks: 


m= Complete the lab exercise setup. 

m Install Cisco Secure Desktop on VPN 3000 concentrator. 

m Create a Windows location. 

m Configure the identification criteria for the Windows location. 
= Configure the VPN Feature Policy for the Windows location. 
m Enable Cisco Secure Desktop on VPN 3000 concentrator. 


Visual Objective 


The following figure displays the configuration you will complete in this lab exercise. 


Lab Visual Objective 


oO _ 


Student PC 
Cisco VPN Client 
Cisco VPN 
3000 Series 
Concentrator 


Scenario 


Your employer has asked you to provide better security for your wireless users. You will install 
the Cisco Secure Desktop on the VPN 3000 concentrator and configure it for the employees 
connecting through the wireless network. 
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Task 1—Complete the Lab Exercise Setup 


Before starting this lab exercise, verify your equipment as follows: 


m= Ensure that your student PC is powered on. 


m Ensure your student PC IP addresses are configured correctly: 


Primary IP address—172.26.26.P (where P = pod number) 
Default gateway IP address—172.26.26.150 


m Ensure that your Concentrator is powered on. 


Task 2—Installing Cisco Secure Desktop on VPN 3000 


Concentrator 


Complete the following steps to install CSD. 


Step 1 


Step 2 


Step 3 


Step 4 


Step 5 
Step 6 


Step 7 


Connect to the VPN 3000 Series Concentrator, and log in to the VPN Concentrator 
Manager application. The home page of the VPN Concentrator Manager application 
is displayed. 


In the home page of VPN Concentrator Manager, choose Configuration > 
Tunneling and Security > WebVPN > Secure Desktop > Setup. 


Click the Install a new Secure Desktop radio button. 


Click the Browse button and then locate the CSD installation file on your 
management PC. 


Click the Apply button. The File Upload window is displayed. 
When the upload success message appears, Click Save Needed. 


Click the OK button when the Save Successful message box appears. 


Task 3—Creating a Windows Location 


Complete the following steps to create a new Windows location. 


Step 1 


Step 2 
Step 3 


Step 4 


Step 5 


Step 6 


Step 7 


In the home page of VPN Concentrator Manager, choose Configuration > 
Tunneling and Security > WebVPN > Secure Desktop > Manager. The Secure 
Desktop Manager for WebVPN window appears. 


Select the Windows Location Settings link. 
In the Location name textbox, type Working Users. 


Click the Add button. Notice that the location name is displayed in the Locations in 
priority order list. 


Select the Close all opened browser windows upon installation check box to 
remove unsecured Web browser sessions when CSD is installed. 


Click Save. The Secure Desktop Manager for WebVPN message box appears. 
Click the OK button. 
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Task 4—Configuring the Identification for the Windows 


Location 


Complete the following steps to configure the identification for the Windows location. 


Step 1 


Step 2 
Step 3 
Step 4 
Step 5 


Step 6 


Step 7 


Step 8 


In the Secure Desktop Manager for WebVPN window, select the Working Users 
link. The Identification for Working Users page is displayed. 


Select the Enable Identification Using IP criteria checkbox. 
In the From textbox, type 192.168.1.1. 

In the To textbox, type 192.168.1.254. 

Click the Add button. 


Uncheck the Secure Desktop check box from the Use Module options at the bottom 
of the window. 


Click Save. The Secure Desktop Manager for WebVPN message box appears. 
Click the OK button. 


Task 5—Configuring the VPN Feature Policy for the Windows 


Location 


Complete the following steps to configure the VPN Feature Policy for the Windows location. 


Step 1 


Step 2 


Step 3 


Step 4 


In the Secure Desktop Manager for WebVPN window, select the VPN Feature 
Policy link for the Working Users location. The VPN Feature Policy page is 
displayed. 


Set all the attributes to ON to ensure that users connecting from the office 
environment have access to all the VPN features. 


Click Save to save the changes. The Secure Desktop Manager for WebVPN 
message box appears. 


Click the OK button. 


Task 6—Enabling Cisco Secure Desktop 


Complete the following steps to enable CSD in the VPN 3000 concentrator. 


Step 1 


Step 2 
Step 3 
Step 4 


Step 5 


In the home page of VPN 3000 Concentrator Manager, choose Configuration > 
Tunneling and Security > WebVPN > Secure Desktop > Setup. 


Click the Enable Secure Desktop radio button. 
Click the Apply button. 
Click Save Needed. The Save Successful message box appears. 


Click the OK button. 
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Module Summary 


This topic summarizes the key points that were discussed in this module. 


Module Summary 


* Cisco VPN 3000 Series Concentrator running 
version 4.7 or later offers extensive application 
support through its dynamically downloaded Cisco 
SSL VPN client for WebVPN. 


¢ Cisco SSL VPN Client provides secure access to 
the corporate network by establishing end-to-end, 
encrypted VPN tunnels. 


* Cisco Secure Desktop (CSD) provides endpoint 
security, when a remote user accesses the 
corporate network through WebVPN. 


* After installing the CSD, you need to configure the 
Secure Desktop Manager options before you 
enable it for the remote clients. 


This module covered how Cisco VPN 3000 Series Concentrator running version 4.7 or later 
offers extensive application support through its dynamically downloaded Cisco SSL VPN client 
for WebVPN. This module first presented how to install Cisco SSL VPN Client and configure 
the Cisco SSL VPN Client for remote users. This module also covered how the Cisco Secure 
Desktop (CSD) provides endpoint security, when a remote user accesses the corporate network 
through WebVPN. This module then presented how to install the CSD on VPN 3000 
concentrator. The module then covered how to install the CSD on VPN 3000 concentrator and 
how to configure options such as Windows location for different user groups, VPN Feature 
Policy, and Secure Desktop settings. Finally, the module ended with how to enable the CSD on 
VPN 3000 concentrator, after you configure the different secure desktop manager options. 


References 


For additional information, refer to these resources: 


m= http://www.cisco.com/en/US/products/hw/vpndeve/ps2284/products_configuration_guide_ 
chapter09186a00803ee1 f0.html#wp 1756983 


m= http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/4_7/471con3k.htm 


m= http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/tsd_products_support_configur 
e.html 


m= http://www.cisco.com/en/US/products/hw/vpndeve/ps2284/products_getting started_guide 
_chapter09 186200803 ef68a.html 


Copyright © 2005, Cisco Systems, Inc. Using Cisco VPN 3000 Series Concentrator v 4.7 18-64 


Module Self-Check 


Use the questions here to review what you learned in this lesson. The correct answers and 
solutions are found in the Lesson Self-Check Answer Key. 


Ql) Which of the following options are components of the Client Config Tab. (Choose 
two.) (Source: Configuring Group options Client Config Tab) 
A) Split Tunneling Policy 
B) TE Proxy Server 
C) Enable Citrix Metaframe 
D) DHCP Network Scope 


Q2) Youneed VPN 3000 Series Concentrator running version or later for 
installing Cisco SSL VPN Client. (Source: Administrative Requirements for Installing 
Cisco SSL VPN Client) 
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Q3) Match each component with the appropriate tab. (Source: Configuring Group options 
on General Tab, Configuring Group options on Client Config Tab, Configuring Group 
options on WebVPN Tab) 

A) Secondary DNS 
B) Subnet Mask 
C) Strip Realm 
D) Banner 
E) Apply ACL 
F) Filter Script 
1. General Tab 


2. Client Config Tab 
3. WebVPN Tab 


Q4)  Youare a remote user, and Cisco SSL VPN Client has not been installed in the client 
PC. How would you go about installing the same? Arrange the steps involved in 
Installing Cisco SSL VPN Client in the correct order. 


Enter the IP address of the VPN 3000 Series Concentrator on the web 
browser. 

Download the sslclient-win*.pkg file to any location on your PC. 
Login to the VPN 3000 Series Concentrator Manager by entering the 
Username and Password. 

A security alert certificate dialog box is displayed. Click Yes. 

Click Tunneling and Security. 

Click Configuration menu. 

Click, Browse button to open the Choose File dialog box and then 
click Open after locating the Cisco SSL VPN package file. 

Click Cisco SSL VPN Client link to install it. 

Click the Install a new Cisco SSLVPN Client option button. 


A) Click, Apply to display the File upload window. When the Upload 
complete message appears, click Save Needed to save the 
configuration. 


B) Click, OK button on the Save Successful dialog box. 
C) Click WebVPN. 
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Q5) — To install the CSD you will have to do the following. Arrange the steps in the correct 
order. (Source: Installing and Enabling the Cisco Secure Desktop.) 

Click the Browse button and then locate the CSD installation file on your 
management PC. 
In the home page of VPN Concentrator Manager, click Configuration > 
Tunneling and Security > WebVPN > Secure Desktop > Setup window. 
Connect to the VPN 3000 Series Concentrator, and log in to the VPN 
Concentrator Manager application. 
Click the Install a new Secure Desktop radio button. 
Click the Save Needed link on top of the page to save the settings. 
Click the Apply button. The CSD is installed in the VPN Concentrator 
Manager and a Secure Desktop Package Upload Success window is displayed. 


Q6) Match the options that appear in the CSD Manager window with their settings. 
(Source: Secure Desktop manager Options) 


A) Windows Location Settings 
B) Mac & Linux Cache Cleaner 
C) Upload/Download Settings 
1.To configure the settings for Mac & Linux Users 


2.To upload saved configurations or download the current 
configuration 


3.To define the different locations that users will connect from. 


Q7) _ A location can be based on . (Choose four.)(Source: Secure Desktop Manager 
options) 
A) Passwords entered. 
Configuration setting 
A certificate 
An IP address range. 
The presence or absence of a particular file. 
A registry entry. 


Q8) Which of the following features does Cisco Secure Desktop provides. (Choose Three.) 
(Source: Cisco Secure Desktop-An Overview) 
A) Data theft prevention. 
B) Data protection. 
C) Post-connection clean up. 
D) Securely extends the corporate network to an authorized user. 
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E) Access to the corporate network from any supported browser. 
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Module Self-Check Answer Key 


Ql) A,B 

Q2) 4.7 

Q3) 1L-A,C 
2-B, D 
3-E, F 


Q4) B, A,D,C,F,E,L,H, LG,J,K 
Q5) C,B,D,A,F,E 
Q6) = A33 
B-1 
C-2 
Q7) C,D,E,F 


Q8) A,BandC 
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